bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28

Analysis

max time kernel
161s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
Size

72KB
MD5

0835be539d86298af9d4f08a8a0a83da
SHA1

584007a4f7358bda7df023efb821c9facb1f60f7
SHA256

bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28
SHA512

ae692fa377312b4ecd26f88782a84b34e3413365eaa95cd6ce682daee0f1ad3bc4dab2bc7e2d9ad9b15c62509ddd81f20ee6aaff158c6bccf2c4e459308abb3e
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2P:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2036	backup.exe
1696	backup.exe
1536	backup.exe
856	backup.exe
892	backup.exe
2028	backup.exe
472	backup.exe
1912	backup.exe
928	backup.exe
1328	backup.exe
708	backup.exe
1476	backup.exe
1504	backup.exe
1480	backup.exe
1648	backup.exe
1888	data.exe
1544	backup.exe
368	backup.exe
472	backup.exe
1548	backup.exe
1340	backup.exe
1912	backup.exe
1932	backup.exe
1260	backup.exe
1892	backup.exe
1468	backup.exe
1688	backup.exe
1368	backup.exe
1508	backup.exe
1264	backup.exe
1772	backup.exe
864	backup.exe
288	backup.exe
1572	backup.exe
620	backup.exe
1976	backup.exe
1068	backup.exe
364	backup.exe
1668	backup.exe
1804	backup.exe
1892	backup.exe
2008	backup.exe
1636	backup.exe
1940	backup.exe
1888	backup.exe
1864	backup.exe
1704	backup.exe
1612	backup.exe
1696	backup.exe
1680	backup.exe
1484	backup.exe
1564	backup.exe
1560	backup.exe
1732	backup.exe
988	backup.exe
524	backup.exe
688	backup.exe
620	backup.exe
1772	backup.exe
928	backup.exe
432	backup.exe
1328	data.exe
1116	backup.exe
1724	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
2028	backup.exe
2028	backup.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
1912	backup.exe
1912	backup.exe
2028	backup.exe
2028	backup.exe
708	backup.exe
708	backup.exe
1476	backup.exe
1476	backup.exe
708	backup.exe
708	backup.exe
1480	backup.exe
1480	backup.exe
1648	backup.exe
1648	backup.exe
1648	backup.exe
1648	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
336	backup.exe
2028	backup.exe
708	backup.exe
2028	backup.exe
708	backup.exe
1648	backup.exe
1648	backup.exe
1480	backup.exe
1480	backup.exe
1480	backup.exe
1480	backup.exe
1688	backup.exe
1688	backup.exe
1368	backup.exe
1508	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\data.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
2036	backup.exe
1696	backup.exe
1536	backup.exe
856	backup.exe
892	backup.exe
2028	backup.exe
472	backup.exe
1912	backup.exe
928	backup.exe
1328	backup.exe
708	backup.exe
1476	backup.exe
1504	backup.exe
1480	backup.exe
1648	backup.exe
1888	data.exe
1624	backup.exe
1564	update.exe
612	backup.exe
1520	backup.exe
1484	backup.exe
1516	data.exe
1772	backup.exe
1396	data.exe
2040	backup.exe
288	backup.exe
892	System Restore.exe
336	backup.exe
368	backup.exe
472	backup.exe
1548	backup.exe
1340	backup.exe
1912	backup.exe
1932	backup.exe
1260	backup.exe
1892	backup.exe
1468	backup.exe
1716	update.exe
276	System Restore.exe
1020	backup.exe
668	backup.exe
1996	backup.exe
1016	backup.exe
1064	backup.exe
1628	backup.exe
1928	backup.exe
1368	backup.exe
1508	backup.exe
1688	backup.exe
1404	backup.exe
1264	backup.exe
1772	backup.exe
856	backup.exe
864	backup.exe
1572	backup.exe
288	backup.exe
1884	backup.exe
620	backup.exe
852	backup.exe
1976	backup.exe
364	backup.exe
1068	backup.exe
1656	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 2036	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	28
PID 968 wrote to memory of 2036	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	28
PID 968 wrote to memory of 2036	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	28
PID 968 wrote to memory of 2036	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	28
PID 968 wrote to memory of 1696	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	29
PID 968 wrote to memory of 1696	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	29
PID 968 wrote to memory of 1696	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	29
PID 968 wrote to memory of 1696	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	29
PID 968 wrote to memory of 1536	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	30
PID 968 wrote to memory of 1536	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	30
PID 968 wrote to memory of 1536	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	30
PID 968 wrote to memory of 1536	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	30
PID 968 wrote to memory of 856	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	31
PID 968 wrote to memory of 856	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	31
PID 968 wrote to memory of 856	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	31
PID 968 wrote to memory of 856	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	31
PID 968 wrote to memory of 892	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	32
PID 968 wrote to memory of 892	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	32
PID 968 wrote to memory of 892	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	32
PID 968 wrote to memory of 892	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	32
PID 2036 wrote to memory of 2028	2036	backup.exe	33
PID 2036 wrote to memory of 2028	2036	backup.exe	33
PID 2036 wrote to memory of 2028	2036	backup.exe	33
PID 2036 wrote to memory of 2028	2036	backup.exe	33
PID 968 wrote to memory of 472	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	34
PID 968 wrote to memory of 472	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	34
PID 968 wrote to memory of 472	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	34
PID 968 wrote to memory of 472	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	34
PID 2028 wrote to memory of 1912	2028	backup.exe	35
PID 2028 wrote to memory of 1912	2028	backup.exe	35
PID 2028 wrote to memory of 1912	2028	backup.exe	35
PID 2028 wrote to memory of 1912	2028	backup.exe	35
PID 968 wrote to memory of 928	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	36
PID 968 wrote to memory of 928	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	36
PID 968 wrote to memory of 928	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	36
PID 968 wrote to memory of 928	968	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe	36
PID 1912 wrote to memory of 1328	1912	backup.exe	37
PID 1912 wrote to memory of 1328	1912	backup.exe	37
PID 1912 wrote to memory of 1328	1912	backup.exe	37
PID 1912 wrote to memory of 1328	1912	backup.exe	37
PID 2028 wrote to memory of 708	2028	backup.exe	38
PID 2028 wrote to memory of 708	2028	backup.exe	38
PID 2028 wrote to memory of 708	2028	backup.exe	38
PID 2028 wrote to memory of 708	2028	backup.exe	38
PID 708 wrote to memory of 1476	708	backup.exe	39
PID 708 wrote to memory of 1476	708	backup.exe	39
PID 708 wrote to memory of 1476	708	backup.exe	39
PID 708 wrote to memory of 1476	708	backup.exe	39
PID 1476 wrote to memory of 1504	1476	backup.exe	40
PID 1476 wrote to memory of 1504	1476	backup.exe	40
PID 1476 wrote to memory of 1504	1476	backup.exe	40
PID 1476 wrote to memory of 1504	1476	backup.exe	40
PID 708 wrote to memory of 1480	708	backup.exe	41
PID 708 wrote to memory of 1480	708	backup.exe	41
PID 708 wrote to memory of 1480	708	backup.exe	41
PID 708 wrote to memory of 1480	708	backup.exe	41
PID 1480 wrote to memory of 1648	1480	backup.exe	42
PID 1480 wrote to memory of 1648	1480	backup.exe	42
PID 1480 wrote to memory of 1648	1480	backup.exe	42
PID 1480 wrote to memory of 1648	1480	backup.exe	42
PID 1648 wrote to memory of 1888	1648	backup.exe	43
PID 1648 wrote to memory of 1888	1648	backup.exe	43
PID 1648 wrote to memory of 1888	1648	backup.exe	43
PID 1648 wrote to memory of 1888	1648	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe
"C:\Users\Admin\AppData\Local\Temp\bf726a59562e43de7196669bfdf363a6fa435c0ea523861841de5d37dad1ef28.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:968
- C:\Users\Admin\AppData\Local\Temp\529089544\backup.exe
  C:\Users\Admin\AppData\Local\Temp\529089544\backup.exe C:\Users\Admin\AppData\Local\Temp\529089544\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2036
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:708
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1476
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:944
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:364
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:1892
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:524
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\update.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\data.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:864
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1616
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1772
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:620
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1804
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1636
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1888
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1612
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1484
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1116
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1152
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1428
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:620
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:612
        
        C:\Program Files\Common Files\System\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\fr-FR\data.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:840
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1032
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:288
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1668
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1732
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1772
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1628
      - C:\Program Files\DVD Maker\Shared\data.exe
        
        "C:\Program Files\DVD Maker\Shared\data.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1332
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:988
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:108
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1724
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2040
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:748
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:948
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1480
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:536
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1036
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1688
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:864
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:1588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2008
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:1560
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1744
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1796
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:928
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:804
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1756
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1468
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:864
    - - C:\Program Files (x86)\Internet Explorer\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\data.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1424
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1624
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1836
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      PID:1680
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1476
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1692
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1336
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1532
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:368
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1420
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Windows directory
      System policy modification
      PID:432
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:808
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:472
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1912
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:856
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:892
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:472
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
9f1162bf0ed6dd6967577fbbe1f9f4ac

SHA1
fcc386e932094d0c86372e52a9e91222a1349530

SHA256
4f616bdf2226c873402856e7cfc62a57aa786278fa1345f283c4b04deba17c86

SHA512
e3117de211d9241ae28d61b0e73018f68429fd24e3c62e23a3fb57fe315cd1aafc6b6ad78e59f38039ddcdc565b145da01a1121c010f4d9f599fd8867a345710

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
794dd16413ccda2c298679f966b337e3

SHA1
a1efbc716937a93897efe14bed7be5afa9164a3e

SHA256
3ee188f6b4f9790622810575259888c95b70b7a14eefa86b3c68ba9b01541a54

SHA512
39ba399ec06d6b75b47f23a7745bab6f2d4cd4902e20c7e91293abab49336beccb2a1dbbf17dc45cc2b79af7b8a5ff6e26d92040601911e49f7b35408a6f63cd

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
794dd16413ccda2c298679f966b337e3

SHA1
a1efbc716937a93897efe14bed7be5afa9164a3e

SHA256
3ee188f6b4f9790622810575259888c95b70b7a14eefa86b3c68ba9b01541a54

SHA512
39ba399ec06d6b75b47f23a7745bab6f2d4cd4902e20c7e91293abab49336beccb2a1dbbf17dc45cc2b79af7b8a5ff6e26d92040601911e49f7b35408a6f63cd

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
807e40b020602c8fa57e9d3b8a8643d5

SHA1
4f9b280b00ef0970810913bed6e3999553dc20f1

SHA256
661d93c5e5bc7ba8c629b25c8fd3c2b4efc877478d55eb63cd9a1cf9cdb14fdb

SHA512
83eb1661222966133f06ed5dad7576ce26a8966d1685679133eb4ba07d529f8b39cac69fb1e29828ed2ac662ff2c0e1cf9e0bb7ed79e0811b58512af4cf77079

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25d1915f86aabb8dc2f318eb0e9c71a1

SHA1
281a931ef3a9084738fef2f2e8adde44b6247035

SHA256
7530c15e37e30aa7a6948a1345f778f25ae48b7f7347eefda837bf06a23d3bad

SHA512
bee7fa1161a3df7ef2ccb3c1c4ea57251070cd5949a314f1ac122c1a9ada4b598d3682e32e25bc5637e0f711a1f38c587e1744525247e0b2ee51aadd97c3fbf0

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25d1915f86aabb8dc2f318eb0e9c71a1

SHA1
281a931ef3a9084738fef2f2e8adde44b6247035

SHA256
7530c15e37e30aa7a6948a1345f778f25ae48b7f7347eefda837bf06a23d3bad

SHA512
bee7fa1161a3df7ef2ccb3c1c4ea57251070cd5949a314f1ac122c1a9ada4b598d3682e32e25bc5637e0f711a1f38c587e1744525247e0b2ee51aadd97c3fbf0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
7e9b114585299ac78512f4e35f06ce51

SHA1
04ad48c11cc9434ec34fc4df50182207773e093c

SHA256
87e0650a06594b57122792915d2783541d734afd1131eac90cfb470ae9f04cc8

SHA512
0817f0be063748f2e8348f657ff5d71e8f6837fc25f53a46061766ca867a66d526a800cd74101c2893607ad2e0d04d560f6eaed864a9e3259cd1081986e500b8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aba50b6c80fee599eccd852f74cbef5f

SHA1
5d12375c9adf3cd609ad0b65a4ca94674fcd9a63

SHA256
6fcf2a9cbab8dd8cda9b14fdacccd2abd303fc05347e63ece9b478e00ea9db3f

SHA512
40160644339cbb0ec6d732bec21bc48235a0435821f0897252b6b3c4e81e502c03395a3873662abaa8401e3f1265febcac997f4dfc7df0ecb939bcc9b2571273

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aba50b6c80fee599eccd852f74cbef5f

SHA1
5d12375c9adf3cd609ad0b65a4ca94674fcd9a63

SHA256
6fcf2a9cbab8dd8cda9b14fdacccd2abd303fc05347e63ece9b478e00ea9db3f

SHA512
40160644339cbb0ec6d732bec21bc48235a0435821f0897252b6b3c4e81e502c03395a3873662abaa8401e3f1265febcac997f4dfc7df0ecb939bcc9b2571273

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
cb64a0841dad692bcdc5a1149c622eae

SHA1
c05d7bf9c7129226fa75792448be4a22bc1d9e1f

SHA256
6d219e81786f318e207effbfc242d236a292f3b8547b8d272c5f19541a50065a

SHA512
ae2007e0b1f0cfcb59d02d5f5d3ed7fd6684881a5481c3ed1064a550a7cc1626ceab8dc8630415e00a19677f40e8cbb915db579759979f7c028ea932c1383952

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0103d4acff78696279b29778663dcc40

SHA1
1f44c45abb8faa1f70e6896274836cd16e16bd79

SHA256
70373e2dcdb8be5892c18aab83bbc1e9c9d041e73364df0385784e82b62b8ddd

SHA512
0827674ac708cff6be89ee704a9ec5fc536f3d84b08ced874a882a7f8deeb62f5a823409d10078047c4f274cc96fe5ad0fa15cf4f812909c66fec2d3cacee354

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0103d4acff78696279b29778663dcc40

SHA1
1f44c45abb8faa1f70e6896274836cd16e16bd79

SHA256
70373e2dcdb8be5892c18aab83bbc1e9c9d041e73364df0385784e82b62b8ddd

SHA512
0827674ac708cff6be89ee704a9ec5fc536f3d84b08ced874a882a7f8deeb62f5a823409d10078047c4f274cc96fe5ad0fa15cf4f812909c66fec2d3cacee354

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
33c2e657467db6124871d966cbec9284

SHA1
60de0732f59e738b63ddd1efc7e613c87be680e5

SHA256
9c3f785ef215fd429af1a6204c92ca452bb76ac4d8e28b7d6bc0694b211bebfd

SHA512
49e5c1c0bc3d54142ea6471a5c9b15220723b35b26e91f9566988d9bcd029ce5aeed20c3db3f36504c425fcdbe77a905f6c5cd0f63e88cffb13d74494556def7

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
33c2e657467db6124871d966cbec9284

SHA1
60de0732f59e738b63ddd1efc7e613c87be680e5

SHA256
9c3f785ef215fd429af1a6204c92ca452bb76ac4d8e28b7d6bc0694b211bebfd

SHA512
49e5c1c0bc3d54142ea6471a5c9b15220723b35b26e91f9566988d9bcd029ce5aeed20c3db3f36504c425fcdbe77a905f6c5cd0f63e88cffb13d74494556def7

Download Submit
C:\Users\Admin\AppData\Local\Temp\529089544\backup.exe

Filesize
72KB

MD5
7304e799e37b48280ebb48323f5f1e65

SHA1
07d8dd82e3f78f7384dd1e770cae98b0015f9a61

SHA256
65015b6ec2df0236cf0f77a56354942cdbd9f12261f17e47aa806a34ebbc62e5

SHA512
fa8457c23e729ae7a37f97c3abfbf0bc4fe03415fe7e88aee48ddb5f1bfccac0901447d03fcbcdbdca8135bf894b78ea9d9beac8acda3d8a9de3781ced50f0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\529089544\backup.exe

Filesize
72KB

MD5
7304e799e37b48280ebb48323f5f1e65

SHA1
07d8dd82e3f78f7384dd1e770cae98b0015f9a61

SHA256
65015b6ec2df0236cf0f77a56354942cdbd9f12261f17e47aa806a34ebbc62e5

SHA512
fa8457c23e729ae7a37f97c3abfbf0bc4fe03415fe7e88aee48ddb5f1bfccac0901447d03fcbcdbdca8135bf894b78ea9d9beac8acda3d8a9de3781ced50f0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
C:\backup.exe

Filesize
72KB

MD5
cbb4b507fb69838c457a3cec66c6d991

SHA1
1cda90a731553cb19860bc23d606542a2b1747b6

SHA256
4c4f26af661961c05fd7d5ab57a3c724cfb6dd4eeda4474d7e8d3d41334f0f9d

SHA512
5b193f8e4a40e4e4ddb2ed7f80064df30367405ec182ff6b9c3e40fc9c25e08e215eaf2e41b94a35fc88c02d550a209d69593aa1065e930db90f210f2e8fde6c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
cbb4b507fb69838c457a3cec66c6d991

SHA1
1cda90a731553cb19860bc23d606542a2b1747b6

SHA256
4c4f26af661961c05fd7d5ab57a3c724cfb6dd4eeda4474d7e8d3d41334f0f9d

SHA512
5b193f8e4a40e4e4ddb2ed7f80064df30367405ec182ff6b9c3e40fc9c25e08e215eaf2e41b94a35fc88c02d550a209d69593aa1065e930db90f210f2e8fde6c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
9f1162bf0ed6dd6967577fbbe1f9f4ac

SHA1
fcc386e932094d0c86372e52a9e91222a1349530

SHA256
4f616bdf2226c873402856e7cfc62a57aa786278fa1345f283c4b04deba17c86

SHA512
e3117de211d9241ae28d61b0e73018f68429fd24e3c62e23a3fb57fe315cd1aafc6b6ad78e59f38039ddcdc565b145da01a1121c010f4d9f599fd8867a345710

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
9f1162bf0ed6dd6967577fbbe1f9f4ac

SHA1
fcc386e932094d0c86372e52a9e91222a1349530

SHA256
4f616bdf2226c873402856e7cfc62a57aa786278fa1345f283c4b04deba17c86

SHA512
e3117de211d9241ae28d61b0e73018f68429fd24e3c62e23a3fb57fe315cd1aafc6b6ad78e59f38039ddcdc565b145da01a1121c010f4d9f599fd8867a345710

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
794dd16413ccda2c298679f966b337e3

SHA1
a1efbc716937a93897efe14bed7be5afa9164a3e

SHA256
3ee188f6b4f9790622810575259888c95b70b7a14eefa86b3c68ba9b01541a54

SHA512
39ba399ec06d6b75b47f23a7745bab6f2d4cd4902e20c7e91293abab49336beccb2a1dbbf17dc45cc2b79af7b8a5ff6e26d92040601911e49f7b35408a6f63cd

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
794dd16413ccda2c298679f966b337e3

SHA1
a1efbc716937a93897efe14bed7be5afa9164a3e

SHA256
3ee188f6b4f9790622810575259888c95b70b7a14eefa86b3c68ba9b01541a54

SHA512
39ba399ec06d6b75b47f23a7745bab6f2d4cd4902e20c7e91293abab49336beccb2a1dbbf17dc45cc2b79af7b8a5ff6e26d92040601911e49f7b35408a6f63cd

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
807e40b020602c8fa57e9d3b8a8643d5

SHA1
4f9b280b00ef0970810913bed6e3999553dc20f1

SHA256
661d93c5e5bc7ba8c629b25c8fd3c2b4efc877478d55eb63cd9a1cf9cdb14fdb

SHA512
83eb1661222966133f06ed5dad7576ce26a8966d1685679133eb4ba07d529f8b39cac69fb1e29828ed2ac662ff2c0e1cf9e0bb7ed79e0811b58512af4cf77079

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
807e40b020602c8fa57e9d3b8a8643d5

SHA1
4f9b280b00ef0970810913bed6e3999553dc20f1

SHA256
661d93c5e5bc7ba8c629b25c8fd3c2b4efc877478d55eb63cd9a1cf9cdb14fdb

SHA512
83eb1661222966133f06ed5dad7576ce26a8966d1685679133eb4ba07d529f8b39cac69fb1e29828ed2ac662ff2c0e1cf9e0bb7ed79e0811b58512af4cf77079

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25d1915f86aabb8dc2f318eb0e9c71a1

SHA1
281a931ef3a9084738fef2f2e8adde44b6247035

SHA256
7530c15e37e30aa7a6948a1345f778f25ae48b7f7347eefda837bf06a23d3bad

SHA512
bee7fa1161a3df7ef2ccb3c1c4ea57251070cd5949a314f1ac122c1a9ada4b598d3682e32e25bc5637e0f711a1f38c587e1744525247e0b2ee51aadd97c3fbf0

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
25d1915f86aabb8dc2f318eb0e9c71a1

SHA1
281a931ef3a9084738fef2f2e8adde44b6247035

SHA256
7530c15e37e30aa7a6948a1345f778f25ae48b7f7347eefda837bf06a23d3bad

SHA512
bee7fa1161a3df7ef2ccb3c1c4ea57251070cd5949a314f1ac122c1a9ada4b598d3682e32e25bc5637e0f711a1f38c587e1744525247e0b2ee51aadd97c3fbf0

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
7e9b114585299ac78512f4e35f06ce51

SHA1
04ad48c11cc9434ec34fc4df50182207773e093c

SHA256
87e0650a06594b57122792915d2783541d734afd1131eac90cfb470ae9f04cc8

SHA512
0817f0be063748f2e8348f657ff5d71e8f6837fc25f53a46061766ca867a66d526a800cd74101c2893607ad2e0d04d560f6eaed864a9e3259cd1081986e500b8

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
7e9b114585299ac78512f4e35f06ce51

SHA1
04ad48c11cc9434ec34fc4df50182207773e093c

SHA256
87e0650a06594b57122792915d2783541d734afd1131eac90cfb470ae9f04cc8

SHA512
0817f0be063748f2e8348f657ff5d71e8f6837fc25f53a46061766ca867a66d526a800cd74101c2893607ad2e0d04d560f6eaed864a9e3259cd1081986e500b8

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aba50b6c80fee599eccd852f74cbef5f

SHA1
5d12375c9adf3cd609ad0b65a4ca94674fcd9a63

SHA256
6fcf2a9cbab8dd8cda9b14fdacccd2abd303fc05347e63ece9b478e00ea9db3f

SHA512
40160644339cbb0ec6d732bec21bc48235a0435821f0897252b6b3c4e81e502c03395a3873662abaa8401e3f1265febcac997f4dfc7df0ecb939bcc9b2571273

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
aba50b6c80fee599eccd852f74cbef5f

SHA1
5d12375c9adf3cd609ad0b65a4ca94674fcd9a63

SHA256
6fcf2a9cbab8dd8cda9b14fdacccd2abd303fc05347e63ece9b478e00ea9db3f

SHA512
40160644339cbb0ec6d732bec21bc48235a0435821f0897252b6b3c4e81e502c03395a3873662abaa8401e3f1265febcac997f4dfc7df0ecb939bcc9b2571273

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
cb64a0841dad692bcdc5a1149c622eae

SHA1
c05d7bf9c7129226fa75792448be4a22bc1d9e1f

SHA256
6d219e81786f318e207effbfc242d236a292f3b8547b8d272c5f19541a50065a

SHA512
ae2007e0b1f0cfcb59d02d5f5d3ed7fd6684881a5481c3ed1064a550a7cc1626ceab8dc8630415e00a19677f40e8cbb915db579759979f7c028ea932c1383952

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
cb64a0841dad692bcdc5a1149c622eae

SHA1
c05d7bf9c7129226fa75792448be4a22bc1d9e1f

SHA256
6d219e81786f318e207effbfc242d236a292f3b8547b8d272c5f19541a50065a

SHA512
ae2007e0b1f0cfcb59d02d5f5d3ed7fd6684881a5481c3ed1064a550a7cc1626ceab8dc8630415e00a19677f40e8cbb915db579759979f7c028ea932c1383952

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe

Filesize
72KB

MD5
186956f6bc2eb418f49ca5243577bc1e

SHA1
732a0896d6bb7b91dbfaa65832e27bf83a813ceb

SHA256
8c01872b828c984d7b901bd11c0f0003d9fc452a3626410db837f904dadb80db

SHA512
487ec4c949a6d5e487025e82c5b86101be67d51c3aac8492a3e7f57dac41b73cd5d09fc8df481812d5e39292b65c7aae070df3206f335fa9d36eee6298bd5406

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0103d4acff78696279b29778663dcc40

SHA1
1f44c45abb8faa1f70e6896274836cd16e16bd79

SHA256
70373e2dcdb8be5892c18aab83bbc1e9c9d041e73364df0385784e82b62b8ddd

SHA512
0827674ac708cff6be89ee704a9ec5fc536f3d84b08ced874a882a7f8deeb62f5a823409d10078047c4f274cc96fe5ad0fa15cf4f812909c66fec2d3cacee354

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0103d4acff78696279b29778663dcc40

SHA1
1f44c45abb8faa1f70e6896274836cd16e16bd79

SHA256
70373e2dcdb8be5892c18aab83bbc1e9c9d041e73364df0385784e82b62b8ddd

SHA512
0827674ac708cff6be89ee704a9ec5fc536f3d84b08ced874a882a7f8deeb62f5a823409d10078047c4f274cc96fe5ad0fa15cf4f812909c66fec2d3cacee354

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
33c2e657467db6124871d966cbec9284

SHA1
60de0732f59e738b63ddd1efc7e613c87be680e5

SHA256
9c3f785ef215fd429af1a6204c92ca452bb76ac4d8e28b7d6bc0694b211bebfd

SHA512
49e5c1c0bc3d54142ea6471a5c9b15220723b35b26e91f9566988d9bcd029ce5aeed20c3db3f36504c425fcdbe77a905f6c5cd0f63e88cffb13d74494556def7

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
33c2e657467db6124871d966cbec9284

SHA1
60de0732f59e738b63ddd1efc7e613c87be680e5

SHA256
9c3f785ef215fd429af1a6204c92ca452bb76ac4d8e28b7d6bc0694b211bebfd

SHA512
49e5c1c0bc3d54142ea6471a5c9b15220723b35b26e91f9566988d9bcd029ce5aeed20c3db3f36504c425fcdbe77a905f6c5cd0f63e88cffb13d74494556def7

Download Submit
\Users\Admin\AppData\Local\Temp\529089544\backup.exe

Filesize
72KB

MD5
7304e799e37b48280ebb48323f5f1e65

SHA1
07d8dd82e3f78f7384dd1e770cae98b0015f9a61

SHA256
65015b6ec2df0236cf0f77a56354942cdbd9f12261f17e47aa806a34ebbc62e5

SHA512
fa8457c23e729ae7a37f97c3abfbf0bc4fe03415fe7e88aee48ddb5f1bfccac0901447d03fcbcdbdca8135bf894b78ea9d9beac8acda3d8a9de3781ced50f0ac

Download Submit
\Users\Admin\AppData\Local\Temp\529089544\backup.exe

Filesize
72KB

MD5
7304e799e37b48280ebb48323f5f1e65

SHA1
07d8dd82e3f78f7384dd1e770cae98b0015f9a61

SHA256
65015b6ec2df0236cf0f77a56354942cdbd9f12261f17e47aa806a34ebbc62e5

SHA512
fa8457c23e729ae7a37f97c3abfbf0bc4fe03415fe7e88aee48ddb5f1bfccac0901447d03fcbcdbdca8135bf894b78ea9d9beac8acda3d8a9de3781ced50f0ac

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
01b77d5ef92c8b8c4527d381315ab549

SHA1
e0571fbe69072db8536859528768cf10e9bb1d5d

SHA256
4865d1e48436165edf760c0f49dea4af91e98d9ce848cf80376aeac3c9f90ac6

SHA512
6010f1c0eefd62e0a82c77618e3377f1b1afbeeec4d51e7d3d95a97e59c8166f953114ca89a53b4bea8ae964b9339a18b613c2654f4a3f2a315b5e091f9386af

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
23ab265d4cb0f619cc9c740f38613538

SHA1
95f0a3e889f8f83b87cb2911c9970426aa405c52

SHA256
d60829ced5aa35d2d663a7dcf7eaa23ddcdf5af1073fe9f92f2b88cd7927cc9a

SHA512
027d9782a28b3b94b44634baf0b69c4d482e6cc42de9887ebe5e1488d47a2b2c3404e3fe7c479345144ee2dff2b94dbcf3721cc919aa30a2655eaa35cbaeb338

Download Submit
memory/968-123-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/968-164-0x00000000746B1000-0x00000000746B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads