2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50

Analysis

max time kernel
163s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
Size

72KB
MD5

045008d772cb29c489d7f9aa1d265860
SHA1

8af767925beb67038ba35f843b1dad8b996bae70
SHA256

2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50
SHA512

81ef739f28569ba0353c574f8f581d22d6ae476f00b610dbf43a3eac0bd453488bfd13c1963eb8c44bd2eb2d5f246774a0f87a816522ecf525a2f9d6af2abfc1
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf28:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPo

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1784	backup.exe
1596	backup.exe
1640	backup.exe
1632	update.exe
1524	backup.exe
524	update.exe
792	backup.exe
1628	backup.exe
1732	backup.exe
1940	backup.exe
2028	backup.exe
1532	backup.exe
1188	backup.exe
1932	backup.exe
940	backup.exe
1748	backup.exe
2032	backup.exe
1656	backup.exe
1396	backup.exe
1788	backup.exe
1968	backup.exe
880	backup.exe
900	data.exe
908	backup.exe
964	backup.exe
1076	backup.exe
856	backup.exe
300	backup.exe
1944	backup.exe
1144	System Restore.exe
1500	backup.exe
1184	backup.exe
1156	backup.exe
2028	backup.exe
960	backup.exe
1532	backup.exe
1696	backup.exe
1744	backup.exe
1080	backup.exe
2008	backup.exe
1956	backup.exe
1888	backup.exe
1644	backup.exe
1656	backup.exe
1548	backup.exe
1448	backup.exe
1640	backup.exe
1492	backup.exe
980	backup.exe
536	backup.exe
964	backup.exe
1076	backup.exe
856	backup.exe
1948	backup.exe
1452	backup.exe
364	backup.exe
1764	backup.exe
1628	data.exe
1996	backup.exe
1832	backup.exe
1256	backup.exe
540	backup.exe
1080	backup.exe
1148	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
1596	backup.exe
1596	backup.exe
1640	backup.exe
1640	backup.exe
1596	backup.exe
524	update.exe
1632	update.exe
524	update.exe
1632	update.exe
1632	update.exe
524	update.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
524	update.exe
524	update.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
1628	backup.exe
1628	backup.exe
1628	backup.exe
1628	backup.exe
1628	backup.exe
1940	backup.exe
1940	backup.exe
1940	backup.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
524	update.exe
524	update.exe
1188	backup.exe
1188	backup.exe
1188	backup.exe
1188	backup.exe
1188	backup.exe
1932	backup.exe
1932	backup.exe
1932	backup.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
1932	backup.exe
1932	backup.exe
1748	backup.exe
1748	backup.exe
1748	backup.exe
1932	backup.exe
1932	backup.exe
2032	backup.exe
2032	backup.exe
2032	backup.exe
2032	backup.exe
2032	backup.exe
1656	backup.exe
1656	backup.exe
1656	backup.exe
2032	backup.exe
2032	backup.exe
1396	backup.exe
1396	backup.exe
1396	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\update.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\data.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
1784	backup.exe
1596	backup.exe
1640	backup.exe
1524	backup.exe
524	update.exe
1632	update.exe
792	backup.exe
1732	backup.exe
1628	backup.exe
1940	backup.exe
2028	backup.exe
1532	backup.exe
1188	backup.exe
1932	backup.exe
940	backup.exe
1748	backup.exe
2032	backup.exe
1656	backup.exe
1396	backup.exe
1788	backup.exe
1968	backup.exe
880	backup.exe
900	data.exe
908	backup.exe
964	backup.exe
1076	backup.exe
856	backup.exe
300	backup.exe
1944	backup.exe
1144	System Restore.exe
1500	backup.exe
1156	backup.exe
1184	backup.exe
2028	backup.exe
960	backup.exe
1532	backup.exe
1696	backup.exe
1744	backup.exe
1080	backup.exe
2008	backup.exe
1956	backup.exe
1888	backup.exe
1644	backup.exe
1656	backup.exe
1548	backup.exe
1448	backup.exe
1640	backup.exe
1492	backup.exe
980	backup.exe
536	backup.exe
964	backup.exe
1076	backup.exe
856	backup.exe
1948	backup.exe
1452	backup.exe
1764	backup.exe
364	backup.exe
1628	data.exe
1996	backup.exe
1832	backup.exe
1256	backup.exe
540	backup.exe
1080	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 1784	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	26
PID 604 wrote to memory of 1784	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	26
PID 604 wrote to memory of 1784	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	26
PID 604 wrote to memory of 1784	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	26
PID 1784 wrote to memory of 1596	1784	backup.exe	28
PID 1784 wrote to memory of 1596	1784	backup.exe	28
PID 1784 wrote to memory of 1596	1784	backup.exe	28
PID 1784 wrote to memory of 1596	1784	backup.exe	28
PID 1596 wrote to memory of 1640	1596	backup.exe	29
PID 1596 wrote to memory of 1640	1596	backup.exe	29
PID 1596 wrote to memory of 1640	1596	backup.exe	29
PID 1596 wrote to memory of 1640	1596	backup.exe	29
PID 604 wrote to memory of 1632	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	27
PID 604 wrote to memory of 1632	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	27
PID 604 wrote to memory of 1632	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	27
PID 604 wrote to memory of 1632	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	27
PID 604 wrote to memory of 1632	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	27
PID 604 wrote to memory of 1632	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	27
PID 604 wrote to memory of 1632	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	27
PID 1640 wrote to memory of 1524	1640	backup.exe	30
PID 1640 wrote to memory of 1524	1640	backup.exe	30
PID 1640 wrote to memory of 1524	1640	backup.exe	30
PID 1640 wrote to memory of 1524	1640	backup.exe	30
PID 1596 wrote to memory of 524	1596	backup.exe	31
PID 1596 wrote to memory of 524	1596	backup.exe	31
PID 1596 wrote to memory of 524	1596	backup.exe	31
PID 1596 wrote to memory of 524	1596	backup.exe	31
PID 1596 wrote to memory of 524	1596	backup.exe	31
PID 1596 wrote to memory of 524	1596	backup.exe	31
PID 1596 wrote to memory of 524	1596	backup.exe	31
PID 604 wrote to memory of 792	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	32
PID 604 wrote to memory of 792	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	32
PID 604 wrote to memory of 792	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	32
PID 604 wrote to memory of 792	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	32
PID 524 wrote to memory of 1628	524	update.exe	33
PID 524 wrote to memory of 1628	524	update.exe	33
PID 524 wrote to memory of 1628	524	update.exe	33
PID 524 wrote to memory of 1628	524	update.exe	33
PID 524 wrote to memory of 1628	524	update.exe	33
PID 524 wrote to memory of 1628	524	update.exe	33
PID 524 wrote to memory of 1628	524	update.exe	33
PID 604 wrote to memory of 1732	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	34
PID 604 wrote to memory of 1732	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	34
PID 604 wrote to memory of 1732	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	34
PID 604 wrote to memory of 1732	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	34
PID 1628 wrote to memory of 1940	1628	backup.exe	35
PID 1628 wrote to memory of 1940	1628	backup.exe	35
PID 1628 wrote to memory of 1940	1628	backup.exe	35
PID 1628 wrote to memory of 1940	1628	backup.exe	35
PID 1628 wrote to memory of 1940	1628	backup.exe	35
PID 1628 wrote to memory of 1940	1628	backup.exe	35
PID 1628 wrote to memory of 1940	1628	backup.exe	35
PID 604 wrote to memory of 2028	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	36
PID 604 wrote to memory of 2028	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	36
PID 604 wrote to memory of 2028	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	36
PID 604 wrote to memory of 2028	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	36
PID 604 wrote to memory of 1532	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	37
PID 604 wrote to memory of 1532	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	37
PID 604 wrote to memory of 1532	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	37
PID 604 wrote to memory of 1532	604	2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe	37
PID 524 wrote to memory of 1188	524	update.exe	38
PID 524 wrote to memory of 1188	524	update.exe	38
PID 524 wrote to memory of 1188	524	update.exe	38
PID 524 wrote to memory of 1188	524	update.exe	38

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe
"C:\Users\Admin\AppData\Local\Temp\2f0ca66773f76309e20c49061fe926b6cf55cb1ed21678295c121eed48dedb50.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Temp\4072833077\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4072833077\backup.exe C:\Users\Admin\AppData\Local\Temp\4072833077\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1596
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1524
  - - C:\Program Files\update.exe
      "C:\Program Files\update.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:524
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1940
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1188
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:2280
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2412
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2224
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\update.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2352
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        System policy modification
        
        PID:1208
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1788
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1088
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1764
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1812
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1780
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:552
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2132
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:364
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:468
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1396
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1616
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1572
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2208
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2360
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:2476
    - - C:\Program Files\DVD Maker\data.exe
        
        "C:\Program Files\DVD Maker\data.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1628
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:860
      - C:\Program Files\DVD Maker\es-ES\data.exe
        
        "C:\Program Files\DVD Maker\es-ES\data.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1812
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1440
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1632
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1080
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1256
    - - C:\Program Files\Google\update.exe
        
        "C:\Program Files\Google\update.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:300
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:112
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1224
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1156
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1576
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1408
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1008
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2100
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2260
      - C:\Program Files\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files\Internet Explorer\it-IT\System Restore.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2468
    - - C:\Program Files\Java\data.exe
        
        "C:\Program Files\Java\data.exe" C:\Program Files\Java\
        5⤵
        
        PID:988
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1800
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2108
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2296
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2460
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1500
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1156
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1456
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        System policy modification
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        System policy modification
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        
        PID:284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1824
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:576
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:772
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1440
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:584
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1996
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:912
      - C:\Program Files (x86)\Common Files\DESIGNER\update.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\update.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1696
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:632
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2072
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2192
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2336
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1588
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:908
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1652
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Google\Update\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\System Restore.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2216
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1560
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1992
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1756
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2156
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2288
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2420
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1968
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:836
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:956
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1760
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1004
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1504
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1220
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2184
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2320
      - C:\Users\Admin\Pictures\data.exe
        
        C:\Users\Admin\Pictures\data.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2452
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:572
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:796
      - C:\Users\Public\Downloads\data.exe
        
        C:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:876
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1548
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:984
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2200
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2344
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Windows directory
      System policy modification
      PID:668
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1144
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1464
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1412
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1188
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2140
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2272
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2428
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:792
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fc81fde0347e1875168694d544170709

SHA1
75ab4c2ce0285620aef0fffe7d2d18970c87c8ac

SHA256
6f50c3ec09672fff2d92bd9cc96d00029a30485ba4455c9f0c68db510c615f77

SHA512
d64f9a1a170b7f2eee83d9bfa80d234da34dd8631271d29082ac8dd3660f76c023d79dede817683f29b0cfdcd73e7335c78d12134e948920b46be4f5a3e2db37

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b14e02d92e3d2b0883b3ec3e0ac92ada

SHA1
e101c1e4a52cd74a94da596f3f7cff60c2f6862b

SHA256
f037686edae3db370fa1fc2133d867219fa4eeed00238f5a1951bce3c7492436

SHA512
0bc589bc5112aa2d206a4038546392a76104198e17a2ce3c1f2e54c03d5186ddb90cc6f2905d10d43efde11757c8fb84ec3e18518eb7c14a54a2434376bbf26a

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b14e02d92e3d2b0883b3ec3e0ac92ada

SHA1
e101c1e4a52cd74a94da596f3f7cff60c2f6862b

SHA256
f037686edae3db370fa1fc2133d867219fa4eeed00238f5a1951bce3c7492436

SHA512
0bc589bc5112aa2d206a4038546392a76104198e17a2ce3c1f2e54c03d5186ddb90cc6f2905d10d43efde11757c8fb84ec3e18518eb7c14a54a2434376bbf26a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
41a77c7dbe52f8f469f104ba48133573

SHA1
2eb43c6abc49f960ccf5db657da41e343c755358

SHA256
d4a24aa972e62302782c19796cbcfdff7a789a835d3575cdd903e44a94206a6f

SHA512
ac293a8e5a4658dc74132b3d4c0165044fd8c9785d518e39df2ab16211c7d43767c7fc0341cd57319484c9bf31687fee231d8d40f7848e96f4a1636353ba4a09

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
41a77c7dbe52f8f469f104ba48133573

SHA1
2eb43c6abc49f960ccf5db657da41e343c755358

SHA256
d4a24aa972e62302782c19796cbcfdff7a789a835d3575cdd903e44a94206a6f

SHA512
ac293a8e5a4658dc74132b3d4c0165044fd8c9785d518e39df2ab16211c7d43767c7fc0341cd57319484c9bf31687fee231d8d40f7848e96f4a1636353ba4a09

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4a2dec43b6c9f54d6b279117b8864098

SHA1
eea3af03e39adfc02216000906ea17b4d22774f0

SHA256
f9284fbbcf23e98cfbb104d4f90e41fbb48ec1c300a39a8471fdabd8d4cd3113

SHA512
38ea47dc125c820ef34431a4da6cae9632f40dc4c9674d34e4e980cc192ec0f9c2a6738bc47706da2e5bf799d2b2995511d2c50417a490249762abce4847a00e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4a2dec43b6c9f54d6b279117b8864098

SHA1
eea3af03e39adfc02216000906ea17b4d22774f0

SHA256
f9284fbbcf23e98cfbb104d4f90e41fbb48ec1c300a39a8471fdabd8d4cd3113

SHA512
38ea47dc125c820ef34431a4da6cae9632f40dc4c9674d34e4e980cc192ec0f9c2a6738bc47706da2e5bf799d2b2995511d2c50417a490249762abce4847a00e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
855efcd325b688618fd7b687c8251982

SHA1
4ce7093a27110bb3c10bf3d76337c8ca752da043

SHA256
a47e26e5e6701fcfb2c951fd52a98c6a486aa960d89b073d5000c179f96f7332

SHA512
f7278b353f4f36f4f421691ee7d665ef0baf3528aaae86c6612506e45d8543a73b6e527a9c49ab9dc099db591b692960465e942ea1148b66ac18683e6657ce8f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
855efcd325b688618fd7b687c8251982

SHA1
4ce7093a27110bb3c10bf3d76337c8ca752da043

SHA256
a47e26e5e6701fcfb2c951fd52a98c6a486aa960d89b073d5000c179f96f7332

SHA512
f7278b353f4f36f4f421691ee7d665ef0baf3528aaae86c6612506e45d8543a73b6e527a9c49ab9dc099db591b692960465e942ea1148b66ac18683e6657ce8f

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c72d8784bad692aa47358a5749b0b1c2

SHA1
e07edb91ea2fc9077e2c5c799ec9e13b89428bd3

SHA256
77ed91e1ca6af28f925cae0ef396e69b910b5baf75f32cb8e2e86d24bbc1f088

SHA512
71b9c522809e0e221c69822b3d222aa13a9ef0e2470302e561e023342d193916629713c2c2ba573dbd67d9c2e9a79a3c905f4acd0d306a9b2db6a1fa678855b2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c72d8784bad692aa47358a5749b0b1c2

SHA1
e07edb91ea2fc9077e2c5c799ec9e13b89428bd3

SHA256
77ed91e1ca6af28f925cae0ef396e69b910b5baf75f32cb8e2e86d24bbc1f088

SHA512
71b9c522809e0e221c69822b3d222aa13a9ef0e2470302e561e023342d193916629713c2c2ba573dbd67d9c2e9a79a3c905f4acd0d306a9b2db6a1fa678855b2

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
18cb21e4c04e3173d66e64049d82602d

SHA1
93a8c2c8cce5be4a42ccdebf5d7fdb4399ca8c22

SHA256
acfa1f7c8c76d5ebae36b9712dfc3504b24f7fc9907d2268f1af1dd1e5b1e1fa

SHA512
6bcf70db97c9efe76256b926ed7b5968cd123a04e2b4ea56c1dd4a0e6cf9731ae85b2d34883f9591da1ad80fa48b90b65ef962d1a20ef37b59faa7a3f34db6e5

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
18cb21e4c04e3173d66e64049d82602d

SHA1
93a8c2c8cce5be4a42ccdebf5d7fdb4399ca8c22

SHA256
acfa1f7c8c76d5ebae36b9712dfc3504b24f7fc9907d2268f1af1dd1e5b1e1fa

SHA512
6bcf70db97c9efe76256b926ed7b5968cd123a04e2b4ea56c1dd4a0e6cf9731ae85b2d34883f9591da1ad80fa48b90b65ef962d1a20ef37b59faa7a3f34db6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4072833077\backup.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4072833077\backup.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b3d716e82e3078dfff46397f999422d3

SHA1
e2b786d15edae6aad7fc5c9c2f468afbcca176d9

SHA256
68f85c0994c77e70daeba5d567fbccd04c341b64c03f5d3144caec533cf6973b

SHA512
4f17566632d3464707e83c2194334b9edb49e26dc77166588a12010ef7f6bb24aadd7f0282be924d44018f219b8a1782dbf3e3079502bff94dded30c5c4086e9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
86bb3cb467fb1994c1d8abfc142dd77c

SHA1
ab923b0468ec5e4920a83bc17ca21c323ff50eaa

SHA256
0cc6fcdc772f26fa49ece5df7bae7cb1fb1c0574a941413dc8000fad25ce3c95

SHA512
044cffe35a56619b358a1741f6c02e568592b151ab2acf9104d3a07a5db83252cd15df37613e539f9b500ac59fef90497182300d98cda60358ba7f4d43b78ae4

Download Submit
C:\backup.exe

Filesize
72KB

MD5
86bb3cb467fb1994c1d8abfc142dd77c

SHA1
ab923b0468ec5e4920a83bc17ca21c323ff50eaa

SHA256
0cc6fcdc772f26fa49ece5df7bae7cb1fb1c0574a941413dc8000fad25ce3c95

SHA512
044cffe35a56619b358a1741f6c02e568592b151ab2acf9104d3a07a5db83252cd15df37613e539f9b500ac59fef90497182300d98cda60358ba7f4d43b78ae4

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fc81fde0347e1875168694d544170709

SHA1
75ab4c2ce0285620aef0fffe7d2d18970c87c8ac

SHA256
6f50c3ec09672fff2d92bd9cc96d00029a30485ba4455c9f0c68db510c615f77

SHA512
d64f9a1a170b7f2eee83d9bfa80d234da34dd8631271d29082ac8dd3660f76c023d79dede817683f29b0cfdcd73e7335c78d12134e948920b46be4f5a3e2db37

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fc81fde0347e1875168694d544170709

SHA1
75ab4c2ce0285620aef0fffe7d2d18970c87c8ac

SHA256
6f50c3ec09672fff2d92bd9cc96d00029a30485ba4455c9f0c68db510c615f77

SHA512
d64f9a1a170b7f2eee83d9bfa80d234da34dd8631271d29082ac8dd3660f76c023d79dede817683f29b0cfdcd73e7335c78d12134e948920b46be4f5a3e2db37

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
b14e02d92e3d2b0883b3ec3e0ac92ada

SHA1
e101c1e4a52cd74a94da596f3f7cff60c2f6862b

SHA256
f037686edae3db370fa1fc2133d867219fa4eeed00238f5a1951bce3c7492436

SHA512
0bc589bc5112aa2d206a4038546392a76104198e17a2ce3c1f2e54c03d5186ddb90cc6f2905d10d43efde11757c8fb84ec3e18518eb7c14a54a2434376bbf26a

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
b14e02d92e3d2b0883b3ec3e0ac92ada

SHA1
e101c1e4a52cd74a94da596f3f7cff60c2f6862b

SHA256
f037686edae3db370fa1fc2133d867219fa4eeed00238f5a1951bce3c7492436

SHA512
0bc589bc5112aa2d206a4038546392a76104198e17a2ce3c1f2e54c03d5186ddb90cc6f2905d10d43efde11757c8fb84ec3e18518eb7c14a54a2434376bbf26a

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
41a77c7dbe52f8f469f104ba48133573

SHA1
2eb43c6abc49f960ccf5db657da41e343c755358

SHA256
d4a24aa972e62302782c19796cbcfdff7a789a835d3575cdd903e44a94206a6f

SHA512
ac293a8e5a4658dc74132b3d4c0165044fd8c9785d518e39df2ab16211c7d43767c7fc0341cd57319484c9bf31687fee231d8d40f7848e96f4a1636353ba4a09

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
41a77c7dbe52f8f469f104ba48133573

SHA1
2eb43c6abc49f960ccf5db657da41e343c755358

SHA256
d4a24aa972e62302782c19796cbcfdff7a789a835d3575cdd903e44a94206a6f

SHA512
ac293a8e5a4658dc74132b3d4c0165044fd8c9785d518e39df2ab16211c7d43767c7fc0341cd57319484c9bf31687fee231d8d40f7848e96f4a1636353ba4a09

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
41a77c7dbe52f8f469f104ba48133573

SHA1
2eb43c6abc49f960ccf5db657da41e343c755358

SHA256
d4a24aa972e62302782c19796cbcfdff7a789a835d3575cdd903e44a94206a6f

SHA512
ac293a8e5a4658dc74132b3d4c0165044fd8c9785d518e39df2ab16211c7d43767c7fc0341cd57319484c9bf31687fee231d8d40f7848e96f4a1636353ba4a09

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
41a77c7dbe52f8f469f104ba48133573

SHA1
2eb43c6abc49f960ccf5db657da41e343c755358

SHA256
d4a24aa972e62302782c19796cbcfdff7a789a835d3575cdd903e44a94206a6f

SHA512
ac293a8e5a4658dc74132b3d4c0165044fd8c9785d518e39df2ab16211c7d43767c7fc0341cd57319484c9bf31687fee231d8d40f7848e96f4a1636353ba4a09

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
41a77c7dbe52f8f469f104ba48133573

SHA1
2eb43c6abc49f960ccf5db657da41e343c755358

SHA256
d4a24aa972e62302782c19796cbcfdff7a789a835d3575cdd903e44a94206a6f

SHA512
ac293a8e5a4658dc74132b3d4c0165044fd8c9785d518e39df2ab16211c7d43767c7fc0341cd57319484c9bf31687fee231d8d40f7848e96f4a1636353ba4a09

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4a2dec43b6c9f54d6b279117b8864098

SHA1
eea3af03e39adfc02216000906ea17b4d22774f0

SHA256
f9284fbbcf23e98cfbb104d4f90e41fbb48ec1c300a39a8471fdabd8d4cd3113

SHA512
38ea47dc125c820ef34431a4da6cae9632f40dc4c9674d34e4e980cc192ec0f9c2a6738bc47706da2e5bf799d2b2995511d2c50417a490249762abce4847a00e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4a2dec43b6c9f54d6b279117b8864098

SHA1
eea3af03e39adfc02216000906ea17b4d22774f0

SHA256
f9284fbbcf23e98cfbb104d4f90e41fbb48ec1c300a39a8471fdabd8d4cd3113

SHA512
38ea47dc125c820ef34431a4da6cae9632f40dc4c9674d34e4e980cc192ec0f9c2a6738bc47706da2e5bf799d2b2995511d2c50417a490249762abce4847a00e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4a2dec43b6c9f54d6b279117b8864098

SHA1
eea3af03e39adfc02216000906ea17b4d22774f0

SHA256
f9284fbbcf23e98cfbb104d4f90e41fbb48ec1c300a39a8471fdabd8d4cd3113

SHA512
38ea47dc125c820ef34431a4da6cae9632f40dc4c9674d34e4e980cc192ec0f9c2a6738bc47706da2e5bf799d2b2995511d2c50417a490249762abce4847a00e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4a2dec43b6c9f54d6b279117b8864098

SHA1
eea3af03e39adfc02216000906ea17b4d22774f0

SHA256
f9284fbbcf23e98cfbb104d4f90e41fbb48ec1c300a39a8471fdabd8d4cd3113

SHA512
38ea47dc125c820ef34431a4da6cae9632f40dc4c9674d34e4e980cc192ec0f9c2a6738bc47706da2e5bf799d2b2995511d2c50417a490249762abce4847a00e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
4a2dec43b6c9f54d6b279117b8864098

SHA1
eea3af03e39adfc02216000906ea17b4d22774f0

SHA256
f9284fbbcf23e98cfbb104d4f90e41fbb48ec1c300a39a8471fdabd8d4cd3113

SHA512
38ea47dc125c820ef34431a4da6cae9632f40dc4c9674d34e4e980cc192ec0f9c2a6738bc47706da2e5bf799d2b2995511d2c50417a490249762abce4847a00e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
855efcd325b688618fd7b687c8251982

SHA1
4ce7093a27110bb3c10bf3d76337c8ca752da043

SHA256
a47e26e5e6701fcfb2c951fd52a98c6a486aa960d89b073d5000c179f96f7332

SHA512
f7278b353f4f36f4f421691ee7d665ef0baf3528aaae86c6612506e45d8543a73b6e527a9c49ab9dc099db591b692960465e942ea1148b66ac18683e6657ce8f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
855efcd325b688618fd7b687c8251982

SHA1
4ce7093a27110bb3c10bf3d76337c8ca752da043

SHA256
a47e26e5e6701fcfb2c951fd52a98c6a486aa960d89b073d5000c179f96f7332

SHA512
f7278b353f4f36f4f421691ee7d665ef0baf3528aaae86c6612506e45d8543a73b6e527a9c49ab9dc099db591b692960465e942ea1148b66ac18683e6657ce8f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
855efcd325b688618fd7b687c8251982

SHA1
4ce7093a27110bb3c10bf3d76337c8ca752da043

SHA256
a47e26e5e6701fcfb2c951fd52a98c6a486aa960d89b073d5000c179f96f7332

SHA512
f7278b353f4f36f4f421691ee7d665ef0baf3528aaae86c6612506e45d8543a73b6e527a9c49ab9dc099db591b692960465e942ea1148b66ac18683e6657ce8f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
855efcd325b688618fd7b687c8251982

SHA1
4ce7093a27110bb3c10bf3d76337c8ca752da043

SHA256
a47e26e5e6701fcfb2c951fd52a98c6a486aa960d89b073d5000c179f96f7332

SHA512
f7278b353f4f36f4f421691ee7d665ef0baf3528aaae86c6612506e45d8543a73b6e527a9c49ab9dc099db591b692960465e942ea1148b66ac18683e6657ce8f

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c72d8784bad692aa47358a5749b0b1c2

SHA1
e07edb91ea2fc9077e2c5c799ec9e13b89428bd3

SHA256
77ed91e1ca6af28f925cae0ef396e69b910b5baf75f32cb8e2e86d24bbc1f088

SHA512
71b9c522809e0e221c69822b3d222aa13a9ef0e2470302e561e023342d193916629713c2c2ba573dbd67d9c2e9a79a3c905f4acd0d306a9b2db6a1fa678855b2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c72d8784bad692aa47358a5749b0b1c2

SHA1
e07edb91ea2fc9077e2c5c799ec9e13b89428bd3

SHA256
77ed91e1ca6af28f925cae0ef396e69b910b5baf75f32cb8e2e86d24bbc1f088

SHA512
71b9c522809e0e221c69822b3d222aa13a9ef0e2470302e561e023342d193916629713c2c2ba573dbd67d9c2e9a79a3c905f4acd0d306a9b2db6a1fa678855b2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c72d8784bad692aa47358a5749b0b1c2

SHA1
e07edb91ea2fc9077e2c5c799ec9e13b89428bd3

SHA256
77ed91e1ca6af28f925cae0ef396e69b910b5baf75f32cb8e2e86d24bbc1f088

SHA512
71b9c522809e0e221c69822b3d222aa13a9ef0e2470302e561e023342d193916629713c2c2ba573dbd67d9c2e9a79a3c905f4acd0d306a9b2db6a1fa678855b2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c72d8784bad692aa47358a5749b0b1c2

SHA1
e07edb91ea2fc9077e2c5c799ec9e13b89428bd3

SHA256
77ed91e1ca6af28f925cae0ef396e69b910b5baf75f32cb8e2e86d24bbc1f088

SHA512
71b9c522809e0e221c69822b3d222aa13a9ef0e2470302e561e023342d193916629713c2c2ba573dbd67d9c2e9a79a3c905f4acd0d306a9b2db6a1fa678855b2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c72d8784bad692aa47358a5749b0b1c2

SHA1
e07edb91ea2fc9077e2c5c799ec9e13b89428bd3

SHA256
77ed91e1ca6af28f925cae0ef396e69b910b5baf75f32cb8e2e86d24bbc1f088

SHA512
71b9c522809e0e221c69822b3d222aa13a9ef0e2470302e561e023342d193916629713c2c2ba573dbd67d9c2e9a79a3c905f4acd0d306a9b2db6a1fa678855b2

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18cb21e4c04e3173d66e64049d82602d

SHA1
93a8c2c8cce5be4a42ccdebf5d7fdb4399ca8c22

SHA256
acfa1f7c8c76d5ebae36b9712dfc3504b24f7fc9907d2268f1af1dd1e5b1e1fa

SHA512
6bcf70db97c9efe76256b926ed7b5968cd123a04e2b4ea56c1dd4a0e6cf9731ae85b2d34883f9591da1ad80fa48b90b65ef962d1a20ef37b59faa7a3f34db6e5

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18cb21e4c04e3173d66e64049d82602d

SHA1
93a8c2c8cce5be4a42ccdebf5d7fdb4399ca8c22

SHA256
acfa1f7c8c76d5ebae36b9712dfc3504b24f7fc9907d2268f1af1dd1e5b1e1fa

SHA512
6bcf70db97c9efe76256b926ed7b5968cd123a04e2b4ea56c1dd4a0e6cf9731ae85b2d34883f9591da1ad80fa48b90b65ef962d1a20ef37b59faa7a3f34db6e5

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18cb21e4c04e3173d66e64049d82602d

SHA1
93a8c2c8cce5be4a42ccdebf5d7fdb4399ca8c22

SHA256
acfa1f7c8c76d5ebae36b9712dfc3504b24f7fc9907d2268f1af1dd1e5b1e1fa

SHA512
6bcf70db97c9efe76256b926ed7b5968cd123a04e2b4ea56c1dd4a0e6cf9731ae85b2d34883f9591da1ad80fa48b90b65ef962d1a20ef37b59faa7a3f34db6e5

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18cb21e4c04e3173d66e64049d82602d

SHA1
93a8c2c8cce5be4a42ccdebf5d7fdb4399ca8c22

SHA256
acfa1f7c8c76d5ebae36b9712dfc3504b24f7fc9907d2268f1af1dd1e5b1e1fa

SHA512
6bcf70db97c9efe76256b926ed7b5968cd123a04e2b4ea56c1dd4a0e6cf9731ae85b2d34883f9591da1ad80fa48b90b65ef962d1a20ef37b59faa7a3f34db6e5

Download Submit
\Users\Admin\AppData\Local\Temp\4072833077\backup.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
\Users\Admin\AppData\Local\Temp\4072833077\backup.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1e02be7fc9e64546171868408c9323e8

SHA1
692fa518ed6bb3ba5e195608b0be97bd9b6f22ec

SHA256
c6b98f45bae95fcb235ba5dfb6c2eb2f5e8c1b2cc12a0951b4eaaeb3261d56fb

SHA512
3074e56d7d16823a1abdc2d46ee75e4967d676ce10cc1024380b8684273058443795e376cb20f40311757fab1e16c33e621cbc1c5bebccb8854249eea053077e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\update.exe

Filesize
72KB

MD5
b911a231528dcbd919bdd3c3b6d5e2cc

SHA1
1c91b1b266d98430e2bf6c0e460809c49fd58edb

SHA256
35b4143978e0e17f380b21a5a68f38d2aeceb8b7a99aebd1cd6c8e89ff8161d5

SHA512
a0e59dd5353318b77e8b034a55bc56a8c36949dfac0c85412d586f212486a1612bc83d2ec5caa11117da0b42598378ac5098b849e1f5725f3ff7b9078c4e9dd1

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b3d716e82e3078dfff46397f999422d3

SHA1
e2b786d15edae6aad7fc5c9c2f468afbcca176d9

SHA256
68f85c0994c77e70daeba5d567fbccd04c341b64c03f5d3144caec533cf6973b

SHA512
4f17566632d3464707e83c2194334b9edb49e26dc77166588a12010ef7f6bb24aadd7f0282be924d44018f219b8a1782dbf3e3079502bff94dded30c5c4086e9

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b3d716e82e3078dfff46397f999422d3

SHA1
e2b786d15edae6aad7fc5c9c2f468afbcca176d9

SHA256
68f85c0994c77e70daeba5d567fbccd04c341b64c03f5d3144caec533cf6973b

SHA512
4f17566632d3464707e83c2194334b9edb49e26dc77166588a12010ef7f6bb24aadd7f0282be924d44018f219b8a1782dbf3e3079502bff94dded30c5c4086e9

Download Submit
memory/524-89-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads