6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d

Analysis

max time kernel
163s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
Size

72KB
MD5

8232388f3c47803640fe1195bf346ec8
SHA1

7d7bf0dfc481c06a87d17c9b1bad3636a4fabcd7
SHA256

6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d
SHA512

3688b8ac41ebcf7431fcf17f93e8a01be44dd2cec478f39f8b65e101ef966509b1371603b19db7830fb918f4059428f696b80acdb46da930ea859e10f1b0f2ce
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2O:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPa

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
896	backup.exe
1940	backup.exe
1148	backup.exe
604	backup.exe
1288	backup.exe
1764	backup.exe
1792	backup.exe
1728	backup.exe
1080	backup.exe
748	backup.exe
2020	backup.exe
556	backup.exe
1548	backup.exe
1772	System Restore.exe
1948	backup.exe
1628	backup.exe
960	data.exe
1212	backup.exe
1704	backup.exe
1008	backup.exe
932	backup.exe
1524	backup.exe
1324	backup.exe
1500	backup.exe
1340	System Restore.exe
1448	backup.exe
1268	backup.exe
1780	backup.exe
1564	backup.exe
336	backup.exe
1792	backup.exe
1540	backup.exe
1744	backup.exe
616	backup.exe
1056	backup.exe
756	backup.exe
1232	backup.exe
1556	backup.exe
860	backup.exe
520	backup.exe
1636	backup.exe
788	backup.exe
1960	backup.exe
1048	backup.exe
1320	backup.exe
1020	backup.exe
1616	backup.exe
2012	backup.exe
1984	backup.exe
1704	backup.exe
2024	backup.exe
1532	backup.exe
1200	backup.exe
1224	backup.exe
1752	backup.exe
1240	backup.exe
1360	backup.exe
1300	backup.exe
1804	backup.exe
1364	data.exe
1540	backup.exe
2044	backup.exe
1056	backup.exe
756	data.exe

Loads dropped DLL 64 IoCs

pid	Process
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1764	backup.exe
1764	backup.exe
1728	backup.exe
1728	backup.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
1764	backup.exe
1764	backup.exe
2020	backup.exe
2020	backup.exe
556	backup.exe
556	backup.exe
2020	backup.exe
2020	backup.exe
1772	System Restore.exe
1772	System Restore.exe
1948	backup.exe
1948	backup.exe
1948	backup.exe
1948	backup.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
1764	backup.exe
1764	backup.exe
1448	backup.exe
1448	backup.exe
960	data.exe
960	data.exe
960	data.exe
960	data.exe
1268	backup.exe
1268	backup.exe
336	backup.exe
336	backup.exe
960	data.exe
960	data.exe
336	backup.exe
336	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
896	backup.exe
1940	backup.exe
1148	backup.exe
604	backup.exe
1288	backup.exe
1764	backup.exe
1728	backup.exe
1792	backup.exe
748	backup.exe
1080	backup.exe
2020	backup.exe
556	backup.exe
1548	backup.exe
1772	System Restore.exe
1948	backup.exe
1628	backup.exe
960	data.exe
1212	backup.exe
1704	backup.exe
1008	backup.exe
932	backup.exe
1524	backup.exe
1324	backup.exe
1500	backup.exe
1340	System Restore.exe
1448	backup.exe
1268	backup.exe
1780	backup.exe
1564	backup.exe
336	backup.exe
1792	backup.exe
1540	backup.exe
1744	backup.exe
616	backup.exe
1056	backup.exe
756	backup.exe
1232	backup.exe
1556	backup.exe
860	backup.exe
520	backup.exe
1636	backup.exe
788	backup.exe
1960	backup.exe
1048	backup.exe
1320	backup.exe
1616	backup.exe
2012	backup.exe
1984	backup.exe
1704	backup.exe
2024	backup.exe
1532	backup.exe
1200	backup.exe
1224	backup.exe
1752	backup.exe
1240	backup.exe
1360	backup.exe
1300	backup.exe
1804	backup.exe
1364	data.exe
1540	backup.exe
2044	backup.exe
1056	backup.exe
756	data.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 896	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	26
PID 1992 wrote to memory of 896	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	26
PID 1992 wrote to memory of 896	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	26
PID 1992 wrote to memory of 896	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	26
PID 1992 wrote to memory of 1940	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	27
PID 1992 wrote to memory of 1940	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	27
PID 1992 wrote to memory of 1940	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	27
PID 1992 wrote to memory of 1940	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	27
PID 1992 wrote to memory of 1148	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	28
PID 1992 wrote to memory of 1148	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	28
PID 1992 wrote to memory of 1148	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	28
PID 1992 wrote to memory of 1148	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	28
PID 1992 wrote to memory of 604	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	29
PID 1992 wrote to memory of 604	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	29
PID 1992 wrote to memory of 604	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	29
PID 1992 wrote to memory of 604	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	29
PID 1992 wrote to memory of 1288	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	30
PID 1992 wrote to memory of 1288	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	30
PID 1992 wrote to memory of 1288	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	30
PID 1992 wrote to memory of 1288	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	30
PID 896 wrote to memory of 1764	896	backup.exe	31
PID 896 wrote to memory of 1764	896	backup.exe	31
PID 896 wrote to memory of 1764	896	backup.exe	31
PID 896 wrote to memory of 1764	896	backup.exe	31
PID 1992 wrote to memory of 1792	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	32
PID 1992 wrote to memory of 1792	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	32
PID 1992 wrote to memory of 1792	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	32
PID 1992 wrote to memory of 1792	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	32
PID 1764 wrote to memory of 1728	1764	backup.exe	33
PID 1764 wrote to memory of 1728	1764	backup.exe	33
PID 1764 wrote to memory of 1728	1764	backup.exe	33
PID 1764 wrote to memory of 1728	1764	backup.exe	33
PID 1728 wrote to memory of 1080	1728	backup.exe	34
PID 1728 wrote to memory of 1080	1728	backup.exe	34
PID 1728 wrote to memory of 1080	1728	backup.exe	34
PID 1728 wrote to memory of 1080	1728	backup.exe	34
PID 1992 wrote to memory of 748	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	35
PID 1992 wrote to memory of 748	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	35
PID 1992 wrote to memory of 748	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	35
PID 1992 wrote to memory of 748	1992	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe	35
PID 1764 wrote to memory of 2020	1764	backup.exe	36
PID 1764 wrote to memory of 2020	1764	backup.exe	36
PID 1764 wrote to memory of 2020	1764	backup.exe	36
PID 1764 wrote to memory of 2020	1764	backup.exe	36
PID 2020 wrote to memory of 556	2020	backup.exe	37
PID 2020 wrote to memory of 556	2020	backup.exe	37
PID 2020 wrote to memory of 556	2020	backup.exe	37
PID 2020 wrote to memory of 556	2020	backup.exe	37
PID 556 wrote to memory of 1548	556	backup.exe	38
PID 556 wrote to memory of 1548	556	backup.exe	38
PID 556 wrote to memory of 1548	556	backup.exe	38
PID 556 wrote to memory of 1548	556	backup.exe	38
PID 2020 wrote to memory of 1772	2020	backup.exe	39
PID 2020 wrote to memory of 1772	2020	backup.exe	39
PID 2020 wrote to memory of 1772	2020	backup.exe	39
PID 2020 wrote to memory of 1772	2020	backup.exe	39
PID 1772 wrote to memory of 1948	1772	System Restore.exe	40
PID 1772 wrote to memory of 1948	1772	System Restore.exe	40
PID 1772 wrote to memory of 1948	1772	System Restore.exe	40
PID 1772 wrote to memory of 1948	1772	System Restore.exe	40
PID 1948 wrote to memory of 1628	1948	backup.exe	41
PID 1948 wrote to memory of 1628	1948	backup.exe	41
PID 1948 wrote to memory of 1628	1948	backup.exe	41
PID 1948 wrote to memory of 1628	1948	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe
"C:\Users\Admin\AppData\Local\Temp\6d50aa50005023eedabd9bdc15bf0809615e26e621feb91655f3a0f99a0d835d.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992
- C:\Users\Admin\AppData\Local\Temp\1536227911\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1536227911\backup.exe C:\Users\Admin\AppData\Local\Temp\1536227911\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:896
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1728
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2020
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1772
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1200
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:2320
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:756
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2060
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1316
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2136
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1300
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1232
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1608
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2044
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2028
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1188
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1184
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1556
      - C:\Program Files\DVD Maker\ja-JP\data.exe
        
        "C:\Program Files\DVD Maker\ja-JP\data.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:676
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1756
    - - C:\Program Files\Google\data.exe
        
        "C:\Program Files\Google\data.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1628
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1016
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1360
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2044
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1940
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2012
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2052
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2164
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1448
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1268
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:336
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1500
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:956
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Program Files (x86)\Common Files\Adobe\Help\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1776
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1580
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1200
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:848
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1704
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:808
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1700
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2172
    - - C:\Program Files (x86)\Google\System Restore.exe
        
        "C:\Program Files (x86)\Google\System Restore.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2024
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2032
    - - C:\Program Files (x86)\Microsoft Analysis Services\data.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:788
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1620
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2092
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2328
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1352
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:728
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1028
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1260
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1296
      - C:\Users\Admin\Downloads\data.exe
        
        C:\Users\Admin\Downloads\data.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2008
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1248
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1584
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2152
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1300
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1524
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:604
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
7213628577cb01972939645e642ca599

SHA1
a452efb59a91a6047b2f4969c9846b5f7f91b059

SHA256
aea94c497f348b391cae5e775085896a141aaa693deb51d70bd1da461a1711c4

SHA512
bfcfb042b102967aff31e000f0d433e6dd74a48be5a6ff0ab80e3f97afb81b6b388256eb26b3ab5264e84a5ef79b88715919a6f5d5e9ca812d54344878157190

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
339fe6f839a3708a04fbc7cbc68570d1

SHA1
6e7184be939e0a40c9c2f7cdcedeeeb29dd8872e

SHA256
809b1d84080b3847d1110fbd5961d9876c957090b7f3d41a0338b3c40f467086

SHA512
ee5e1e708c429a5a97d5b9a4f092cc054e121a7f684b365848b92e87e834c83406008332e2ab657f52976167b0c1c4a0e922b3d0a977775bf3470a7709a20a70

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
339fe6f839a3708a04fbc7cbc68570d1

SHA1
6e7184be939e0a40c9c2f7cdcedeeeb29dd8872e

SHA256
809b1d84080b3847d1110fbd5961d9876c957090b7f3d41a0338b3c40f467086

SHA512
ee5e1e708c429a5a97d5b9a4f092cc054e121a7f684b365848b92e87e834c83406008332e2ab657f52976167b0c1c4a0e922b3d0a977775bf3470a7709a20a70

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d26dec0768727c8afbe3e67c0a49e67b

SHA1
751e8b1329746354978af0257025b36bbd8e44fb

SHA256
dd2f5830f2e3fac9fb32859388b3352448eab74e6ebd752be9bbc9d2e980ce48

SHA512
7ac88cb6dee4b1b8dac5c2afa96f6d9f4d53178753b0d8277e0fe9b9042af4e68f9773bf10baa72b40942ffa52f96690e400363583b1454ef125e1dd7cc8c6a3

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f02998fdf55f51d835c8d353d86e0131

SHA1
b83826da190964cce09ffeac85bca6414f08bc17

SHA256
b3da811e58d490ea904b6cd48d939f747b53e19073c48dabd2715f35c95f6bc2

SHA512
c31adf4e6205c7322b23c5bcbbb43f80c0f403bb5a8b5da4670a44f021c99da68e591129cf1b34b5c6136e4f4b1a7c2c587a4107a84aaacd63d0870834919974

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f02998fdf55f51d835c8d353d86e0131

SHA1
b83826da190964cce09ffeac85bca6414f08bc17

SHA256
b3da811e58d490ea904b6cd48d939f747b53e19073c48dabd2715f35c95f6bc2

SHA512
c31adf4e6205c7322b23c5bcbbb43f80c0f403bb5a8b5da4670a44f021c99da68e591129cf1b34b5c6136e4f4b1a7c2c587a4107a84aaacd63d0870834919974

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
29c29b54cbe45e9290249e9a187d133d

SHA1
6b0ec8c9e1c472c5c9fbac9c8909029e7634cdca

SHA256
8a126957256c27b41091639700cf3d11a76d7585fafa50b71e34d93181eded22

SHA512
1195c58dbc271b3f6f325bcd3878a491776c9d0c52264deb010c80708783e3b74f77bade82ce915c7e814a27b378f853d5f9ac48e1e55ed173691d4a626f2837

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bdbe2eb0aaddf4afe6604fae5e41abb8

SHA1
594a45cb5ff2c6947b4633cb6743eaae3741ee12

SHA256
5aa0485ade90c94876a9a0d8e6b7f1e9fb57ca35baba160b1a6f37f505c5d066

SHA512
e0f1fe1528fa45bde0fdb1d9273f0cfa37b98463095d413a57fddf3807c118233986c88d91e6dcd688c3f735987e4848baf271ea49cedae5afc6d9cf4c633a54

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bdbe2eb0aaddf4afe6604fae5e41abb8

SHA1
594a45cb5ff2c6947b4633cb6743eaae3741ee12

SHA256
5aa0485ade90c94876a9a0d8e6b7f1e9fb57ca35baba160b1a6f37f505c5d066

SHA512
e0f1fe1528fa45bde0fdb1d9273f0cfa37b98463095d413a57fddf3807c118233986c88d91e6dcd688c3f735987e4848baf271ea49cedae5afc6d9cf4c633a54

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
830c2a685900109ff3bffb60f987bcf7

SHA1
ca0b0a02a2f5755f0fe278036dab4475dacb2549

SHA256
f2f26d0d32422496403a0f65e8cf885b201bc54446ee7a2d6653feb758956ab5

SHA512
04e984ce90c87aa4b1672304877ddfcba3eb181215da9fa8a333a0d6e01c9bdfd82171f438187dca370db198c31868e5dd6fba3ca39a4ec361e914842ba93240

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3db92c1676c9b4c9c2e7a0fd0d244acb

SHA1
0cfb8a6e8e3c645346a42662c6e10260a714abe5

SHA256
cab049d7b4dcfb091f3a4537ed1be06734e21b7be1f732d03320f50becd65bea

SHA512
018791a43517c13a2afaa8da6159a3ee2919d9db63518ff477232374a0ca1afd7971ebd87c6949fcf372916550f70825ca0c4528ee2ea63a0cbc6eeeb58e0f64

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
4f7f3f2799fa8c4c738be00ed293d472

SHA1
33159456c025af4267e305c9d93078ecb5c6a11f

SHA256
0c9c51bad3332ed93b279dbeea40940a4fa0ccd86318098624135ca90d4f23de

SHA512
70e903897bc48273ec8def7079befac26f7295c0ef461559dd69115d250710d4298d2b7353057582164342086e6a25f344f80daea46bf71163791c1af32c2c12

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
4f7f3f2799fa8c4c738be00ed293d472

SHA1
33159456c025af4267e305c9d93078ecb5c6a11f

SHA256
0c9c51bad3332ed93b279dbeea40940a4fa0ccd86318098624135ca90d4f23de

SHA512
70e903897bc48273ec8def7079befac26f7295c0ef461559dd69115d250710d4298d2b7353057582164342086e6a25f344f80daea46bf71163791c1af32c2c12

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
7d6e48f8d4dc80d47d2122426442a33f

SHA1
a8429964105f03713bea3e1f55fa457fb7777f25

SHA256
4cbdba3470541d4a7d5fd7d57931610b4ed552164ec09d006f45d9477516bc72

SHA512
ae9b15242e1297419a0adf789967fa77aee0e6ebf3e5bef9db77bb1a51813109756dc6821a7f3d0860d355819f9bc47af74df49298640c25a1fe97d83c3c5053

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
7d6e48f8d4dc80d47d2122426442a33f

SHA1
a8429964105f03713bea3e1f55fa457fb7777f25

SHA256
4cbdba3470541d4a7d5fd7d57931610b4ed552164ec09d006f45d9477516bc72

SHA512
ae9b15242e1297419a0adf789967fa77aee0e6ebf3e5bef9db77bb1a51813109756dc6821a7f3d0860d355819f9bc47af74df49298640c25a1fe97d83c3c5053

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f4a83f2fb3db3f471d9776ddf7f88a22

SHA1
0fbc7e6dbd4b1475716900c6613ead5660edcc19

SHA256
d446bbedb1f1717e2e423caddec48960bd461ad9c70bcce73ee01d50a610cc5b

SHA512
5540d0fb9d96126cdcf7053809d0381e812185629df945e507e89f45f5d13ee926967b13a3401719bbd86d11f667a1080094f3c2d24fc57b9f0c786a161ae6f6

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f4a83f2fb3db3f471d9776ddf7f88a22

SHA1
0fbc7e6dbd4b1475716900c6613ead5660edcc19

SHA256
d446bbedb1f1717e2e423caddec48960bd461ad9c70bcce73ee01d50a610cc5b

SHA512
5540d0fb9d96126cdcf7053809d0381e812185629df945e507e89f45f5d13ee926967b13a3401719bbd86d11f667a1080094f3c2d24fc57b9f0c786a161ae6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1536227911\backup.exe

Filesize
72KB

MD5
58c2f8bb5b44e85e0ee51e13f93904e6

SHA1
a9d00ed695bcc55437fbb92613232395b57591a8

SHA256
b32a696eecf959a11d5bb91055d4dbd001efe0fbf072816f2612ab547909d394

SHA512
3f9d2bd988ca3be7a1e9e2a7c4b53e8eb6110faba6b35b239327d0de59c04133c555e12d69cbd84e63d26ced98b5d3e18a97ef31fd1232bf4a2e6ec9866717e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1536227911\backup.exe

Filesize
72KB

MD5
58c2f8bb5b44e85e0ee51e13f93904e6

SHA1
a9d00ed695bcc55437fbb92613232395b57591a8

SHA256
b32a696eecf959a11d5bb91055d4dbd001efe0fbf072816f2612ab547909d394

SHA512
3f9d2bd988ca3be7a1e9e2a7c4b53e8eb6110faba6b35b239327d0de59c04133c555e12d69cbd84e63d26ced98b5d3e18a97ef31fd1232bf4a2e6ec9866717e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c3854ce22c107d4fea207adefb6dc904

SHA1
f4fbcad5715361671d42993f2c506692a5c8d11f

SHA256
d4645af1b98ad8264e8e2cd42b887f229506cfe77053d2df305639fc8aae810a

SHA512
70ec9e5b0373753bb6c4c7fb4cc849c7decfa912902157003d0bee6a3cc281a3051d3de1c5979f38cc19d2b46b349e23474c28751e3e72693e0fc746dcaa5292

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
58c2f8bb5b44e85e0ee51e13f93904e6

SHA1
a9d00ed695bcc55437fbb92613232395b57591a8

SHA256
b32a696eecf959a11d5bb91055d4dbd001efe0fbf072816f2612ab547909d394

SHA512
3f9d2bd988ca3be7a1e9e2a7c4b53e8eb6110faba6b35b239327d0de59c04133c555e12d69cbd84e63d26ced98b5d3e18a97ef31fd1232bf4a2e6ec9866717e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
5596c3a102acaaf67274a2374af697d1

SHA1
cd28e293f801205f0282fc467d85cc557c979468

SHA256
846deeaae63456b14beef78947568df8c2e549c9d0c91d9bad04e68990e6fcbb

SHA512
8451fdd3f4f1fd087bdfd21e1dab36a979422a9d6c65dc1b24d9d1f0df881be7b457762a6be280d138363eeed5cbd7700ea6e82931c89c406bc1364756a0c942

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a64c768656e764ce99ea180f24095e3c

SHA1
d68ef7160c82f38c5e90244cafccc7975cc5e2bd

SHA256
22c570ac8481cba71c5078776406dabba706a44590046996e2c8ffe935a1bb2c

SHA512
f301a9936d97dfddc05d9fccffe1b1952ae30ab9deb1f8d2a4fcc4df41f8504d5b99fdb4f9f9478b9f3921f28f5aff39c659f383de69cd4dbce1759a5b1bb952

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a64c768656e764ce99ea180f24095e3c

SHA1
d68ef7160c82f38c5e90244cafccc7975cc5e2bd

SHA256
22c570ac8481cba71c5078776406dabba706a44590046996e2c8ffe935a1bb2c

SHA512
f301a9936d97dfddc05d9fccffe1b1952ae30ab9deb1f8d2a4fcc4df41f8504d5b99fdb4f9f9478b9f3921f28f5aff39c659f383de69cd4dbce1759a5b1bb952

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
7213628577cb01972939645e642ca599

SHA1
a452efb59a91a6047b2f4969c9846b5f7f91b059

SHA256
aea94c497f348b391cae5e775085896a141aaa693deb51d70bd1da461a1711c4

SHA512
bfcfb042b102967aff31e000f0d433e6dd74a48be5a6ff0ab80e3f97afb81b6b388256eb26b3ab5264e84a5ef79b88715919a6f5d5e9ca812d54344878157190

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
7213628577cb01972939645e642ca599

SHA1
a452efb59a91a6047b2f4969c9846b5f7f91b059

SHA256
aea94c497f348b391cae5e775085896a141aaa693deb51d70bd1da461a1711c4

SHA512
bfcfb042b102967aff31e000f0d433e6dd74a48be5a6ff0ab80e3f97afb81b6b388256eb26b3ab5264e84a5ef79b88715919a6f5d5e9ca812d54344878157190

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
339fe6f839a3708a04fbc7cbc68570d1

SHA1
6e7184be939e0a40c9c2f7cdcedeeeb29dd8872e

SHA256
809b1d84080b3847d1110fbd5961d9876c957090b7f3d41a0338b3c40f467086

SHA512
ee5e1e708c429a5a97d5b9a4f092cc054e121a7f684b365848b92e87e834c83406008332e2ab657f52976167b0c1c4a0e922b3d0a977775bf3470a7709a20a70

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
339fe6f839a3708a04fbc7cbc68570d1

SHA1
6e7184be939e0a40c9c2f7cdcedeeeb29dd8872e

SHA256
809b1d84080b3847d1110fbd5961d9876c957090b7f3d41a0338b3c40f467086

SHA512
ee5e1e708c429a5a97d5b9a4f092cc054e121a7f684b365848b92e87e834c83406008332e2ab657f52976167b0c1c4a0e922b3d0a977775bf3470a7709a20a70

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d26dec0768727c8afbe3e67c0a49e67b

SHA1
751e8b1329746354978af0257025b36bbd8e44fb

SHA256
dd2f5830f2e3fac9fb32859388b3352448eab74e6ebd752be9bbc9d2e980ce48

SHA512
7ac88cb6dee4b1b8dac5c2afa96f6d9f4d53178753b0d8277e0fe9b9042af4e68f9773bf10baa72b40942ffa52f96690e400363583b1454ef125e1dd7cc8c6a3

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
d26dec0768727c8afbe3e67c0a49e67b

SHA1
751e8b1329746354978af0257025b36bbd8e44fb

SHA256
dd2f5830f2e3fac9fb32859388b3352448eab74e6ebd752be9bbc9d2e980ce48

SHA512
7ac88cb6dee4b1b8dac5c2afa96f6d9f4d53178753b0d8277e0fe9b9042af4e68f9773bf10baa72b40942ffa52f96690e400363583b1454ef125e1dd7cc8c6a3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f02998fdf55f51d835c8d353d86e0131

SHA1
b83826da190964cce09ffeac85bca6414f08bc17

SHA256
b3da811e58d490ea904b6cd48d939f747b53e19073c48dabd2715f35c95f6bc2

SHA512
c31adf4e6205c7322b23c5bcbbb43f80c0f403bb5a8b5da4670a44f021c99da68e591129cf1b34b5c6136e4f4b1a7c2c587a4107a84aaacd63d0870834919974

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f02998fdf55f51d835c8d353d86e0131

SHA1
b83826da190964cce09ffeac85bca6414f08bc17

SHA256
b3da811e58d490ea904b6cd48d939f747b53e19073c48dabd2715f35c95f6bc2

SHA512
c31adf4e6205c7322b23c5bcbbb43f80c0f403bb5a8b5da4670a44f021c99da68e591129cf1b34b5c6136e4f4b1a7c2c587a4107a84aaacd63d0870834919974

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
29c29b54cbe45e9290249e9a187d133d

SHA1
6b0ec8c9e1c472c5c9fbac9c8909029e7634cdca

SHA256
8a126957256c27b41091639700cf3d11a76d7585fafa50b71e34d93181eded22

SHA512
1195c58dbc271b3f6f325bcd3878a491776c9d0c52264deb010c80708783e3b74f77bade82ce915c7e814a27b378f853d5f9ac48e1e55ed173691d4a626f2837

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
29c29b54cbe45e9290249e9a187d133d

SHA1
6b0ec8c9e1c472c5c9fbac9c8909029e7634cdca

SHA256
8a126957256c27b41091639700cf3d11a76d7585fafa50b71e34d93181eded22

SHA512
1195c58dbc271b3f6f325bcd3878a491776c9d0c52264deb010c80708783e3b74f77bade82ce915c7e814a27b378f853d5f9ac48e1e55ed173691d4a626f2837

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bdbe2eb0aaddf4afe6604fae5e41abb8

SHA1
594a45cb5ff2c6947b4633cb6743eaae3741ee12

SHA256
5aa0485ade90c94876a9a0d8e6b7f1e9fb57ca35baba160b1a6f37f505c5d066

SHA512
e0f1fe1528fa45bde0fdb1d9273f0cfa37b98463095d413a57fddf3807c118233986c88d91e6dcd688c3f735987e4848baf271ea49cedae5afc6d9cf4c633a54

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
bdbe2eb0aaddf4afe6604fae5e41abb8

SHA1
594a45cb5ff2c6947b4633cb6743eaae3741ee12

SHA256
5aa0485ade90c94876a9a0d8e6b7f1e9fb57ca35baba160b1a6f37f505c5d066

SHA512
e0f1fe1528fa45bde0fdb1d9273f0cfa37b98463095d413a57fddf3807c118233986c88d91e6dcd688c3f735987e4848baf271ea49cedae5afc6d9cf4c633a54

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
830c2a685900109ff3bffb60f987bcf7

SHA1
ca0b0a02a2f5755f0fe278036dab4475dacb2549

SHA256
f2f26d0d32422496403a0f65e8cf885b201bc54446ee7a2d6653feb758956ab5

SHA512
04e984ce90c87aa4b1672304877ddfcba3eb181215da9fa8a333a0d6e01c9bdfd82171f438187dca370db198c31868e5dd6fba3ca39a4ec361e914842ba93240

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
830c2a685900109ff3bffb60f987bcf7

SHA1
ca0b0a02a2f5755f0fe278036dab4475dacb2549

SHA256
f2f26d0d32422496403a0f65e8cf885b201bc54446ee7a2d6653feb758956ab5

SHA512
04e984ce90c87aa4b1672304877ddfcba3eb181215da9fa8a333a0d6e01c9bdfd82171f438187dca370db198c31868e5dd6fba3ca39a4ec361e914842ba93240

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3db92c1676c9b4c9c2e7a0fd0d244acb

SHA1
0cfb8a6e8e3c645346a42662c6e10260a714abe5

SHA256
cab049d7b4dcfb091f3a4537ed1be06734e21b7be1f732d03320f50becd65bea

SHA512
018791a43517c13a2afaa8da6159a3ee2919d9db63518ff477232374a0ca1afd7971ebd87c6949fcf372916550f70825ca0c4528ee2ea63a0cbc6eeeb58e0f64

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
3db92c1676c9b4c9c2e7a0fd0d244acb

SHA1
0cfb8a6e8e3c645346a42662c6e10260a714abe5

SHA256
cab049d7b4dcfb091f3a4537ed1be06734e21b7be1f732d03320f50becd65bea

SHA512
018791a43517c13a2afaa8da6159a3ee2919d9db63518ff477232374a0ca1afd7971ebd87c6949fcf372916550f70825ca0c4528ee2ea63a0cbc6eeeb58e0f64

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
3db92c1676c9b4c9c2e7a0fd0d244acb

SHA1
0cfb8a6e8e3c645346a42662c6e10260a714abe5

SHA256
cab049d7b4dcfb091f3a4537ed1be06734e21b7be1f732d03320f50becd65bea

SHA512
018791a43517c13a2afaa8da6159a3ee2919d9db63518ff477232374a0ca1afd7971ebd87c6949fcf372916550f70825ca0c4528ee2ea63a0cbc6eeeb58e0f64

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
4f7f3f2799fa8c4c738be00ed293d472

SHA1
33159456c025af4267e305c9d93078ecb5c6a11f

SHA256
0c9c51bad3332ed93b279dbeea40940a4fa0ccd86318098624135ca90d4f23de

SHA512
70e903897bc48273ec8def7079befac26f7295c0ef461559dd69115d250710d4298d2b7353057582164342086e6a25f344f80daea46bf71163791c1af32c2c12

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
72KB

MD5
4f7f3f2799fa8c4c738be00ed293d472

SHA1
33159456c025af4267e305c9d93078ecb5c6a11f

SHA256
0c9c51bad3332ed93b279dbeea40940a4fa0ccd86318098624135ca90d4f23de

SHA512
70e903897bc48273ec8def7079befac26f7295c0ef461559dd69115d250710d4298d2b7353057582164342086e6a25f344f80daea46bf71163791c1af32c2c12

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
7d6e48f8d4dc80d47d2122426442a33f

SHA1
a8429964105f03713bea3e1f55fa457fb7777f25

SHA256
4cbdba3470541d4a7d5fd7d57931610b4ed552164ec09d006f45d9477516bc72

SHA512
ae9b15242e1297419a0adf789967fa77aee0e6ebf3e5bef9db77bb1a51813109756dc6821a7f3d0860d355819f9bc47af74df49298640c25a1fe97d83c3c5053

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
7d6e48f8d4dc80d47d2122426442a33f

SHA1
a8429964105f03713bea3e1f55fa457fb7777f25

SHA256
4cbdba3470541d4a7d5fd7d57931610b4ed552164ec09d006f45d9477516bc72

SHA512
ae9b15242e1297419a0adf789967fa77aee0e6ebf3e5bef9db77bb1a51813109756dc6821a7f3d0860d355819f9bc47af74df49298640c25a1fe97d83c3c5053

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f4a83f2fb3db3f471d9776ddf7f88a22

SHA1
0fbc7e6dbd4b1475716900c6613ead5660edcc19

SHA256
d446bbedb1f1717e2e423caddec48960bd461ad9c70bcce73ee01d50a610cc5b

SHA512
5540d0fb9d96126cdcf7053809d0381e812185629df945e507e89f45f5d13ee926967b13a3401719bbd86d11f667a1080094f3c2d24fc57b9f0c786a161ae6f6

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f4a83f2fb3db3f471d9776ddf7f88a22

SHA1
0fbc7e6dbd4b1475716900c6613ead5660edcc19

SHA256
d446bbedb1f1717e2e423caddec48960bd461ad9c70bcce73ee01d50a610cc5b

SHA512
5540d0fb9d96126cdcf7053809d0381e812185629df945e507e89f45f5d13ee926967b13a3401719bbd86d11f667a1080094f3c2d24fc57b9f0c786a161ae6f6

Download Submit
\Users\Admin\AppData\Local\Temp\1536227911\backup.exe

Filesize
72KB

MD5
58c2f8bb5b44e85e0ee51e13f93904e6

SHA1
a9d00ed695bcc55437fbb92613232395b57591a8

SHA256
b32a696eecf959a11d5bb91055d4dbd001efe0fbf072816f2612ab547909d394

SHA512
3f9d2bd988ca3be7a1e9e2a7c4b53e8eb6110faba6b35b239327d0de59c04133c555e12d69cbd84e63d26ced98b5d3e18a97ef31fd1232bf4a2e6ec9866717e6

Download Submit
\Users\Admin\AppData\Local\Temp\1536227911\backup.exe

Filesize
72KB

MD5
58c2f8bb5b44e85e0ee51e13f93904e6

SHA1
a9d00ed695bcc55437fbb92613232395b57591a8

SHA256
b32a696eecf959a11d5bb91055d4dbd001efe0fbf072816f2612ab547909d394

SHA512
3f9d2bd988ca3be7a1e9e2a7c4b53e8eb6110faba6b35b239327d0de59c04133c555e12d69cbd84e63d26ced98b5d3e18a97ef31fd1232bf4a2e6ec9866717e6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
497f5890f2ee3bbc142604ba353ab70d

SHA1
d67093b147a8c24b5720b1293891111439c8f849

SHA256
32ec1cb3a1e7874f72935aff2ac5ab8888701986eea856deaff31d4ade49244f

SHA512
9414b27c1631f83fb86165f29a8c3739ccd81ab7902bb186e078f1625bd7fdaf9147db1e74b19f9db56fa9dab3223fadf4c4d9cc5fd79b293d534bd3a457643e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c3854ce22c107d4fea207adefb6dc904

SHA1
f4fbcad5715361671d42993f2c506692a5c8d11f

SHA256
d4645af1b98ad8264e8e2cd42b887f229506cfe77053d2df305639fc8aae810a

SHA512
70ec9e5b0373753bb6c4c7fb4cc849c7decfa912902157003d0bee6a3cc281a3051d3de1c5979f38cc19d2b46b349e23474c28751e3e72693e0fc746dcaa5292

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c3854ce22c107d4fea207adefb6dc904

SHA1
f4fbcad5715361671d42993f2c506692a5c8d11f

SHA256
d4645af1b98ad8264e8e2cd42b887f229506cfe77053d2df305639fc8aae810a

SHA512
70ec9e5b0373753bb6c4c7fb4cc849c7decfa912902157003d0bee6a3cc281a3051d3de1c5979f38cc19d2b46b349e23474c28751e3e72693e0fc746dcaa5292

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
58c2f8bb5b44e85e0ee51e13f93904e6

SHA1
a9d00ed695bcc55437fbb92613232395b57591a8

SHA256
b32a696eecf959a11d5bb91055d4dbd001efe0fbf072816f2612ab547909d394

SHA512
3f9d2bd988ca3be7a1e9e2a7c4b53e8eb6110faba6b35b239327d0de59c04133c555e12d69cbd84e63d26ced98b5d3e18a97ef31fd1232bf4a2e6ec9866717e6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
58c2f8bb5b44e85e0ee51e13f93904e6

SHA1
a9d00ed695bcc55437fbb92613232395b57591a8

SHA256
b32a696eecf959a11d5bb91055d4dbd001efe0fbf072816f2612ab547909d394

SHA512
3f9d2bd988ca3be7a1e9e2a7c4b53e8eb6110faba6b35b239327d0de59c04133c555e12d69cbd84e63d26ced98b5d3e18a97ef31fd1232bf4a2e6ec9866717e6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
5596c3a102acaaf67274a2374af697d1

SHA1
cd28e293f801205f0282fc467d85cc557c979468

SHA256
846deeaae63456b14beef78947568df8c2e549c9d0c91d9bad04e68990e6fcbb

SHA512
8451fdd3f4f1fd087bdfd21e1dab36a979422a9d6c65dc1b24d9d1f0df881be7b457762a6be280d138363eeed5cbd7700ea6e82931c89c406bc1364756a0c942

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
5596c3a102acaaf67274a2374af697d1

SHA1
cd28e293f801205f0282fc467d85cc557c979468

SHA256
846deeaae63456b14beef78947568df8c2e549c9d0c91d9bad04e68990e6fcbb

SHA512
8451fdd3f4f1fd087bdfd21e1dab36a979422a9d6c65dc1b24d9d1f0df881be7b457762a6be280d138363eeed5cbd7700ea6e82931c89c406bc1364756a0c942

Download Submit
memory/1992-124-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads