526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b

Analysis

max time kernel
188s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
Size

72KB
MD5

0e545a36e318b4ae0e3b1e1369c3175c
SHA1

bc72dd4cd79368e8767af46ff492a382500a66fa
SHA256

526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b
SHA512

c4d05e49ceb74e98413970397723405aa2106cfae7f8d2d5bda92c871b6f9e20357e5f5caff99372b87caf834d48279b5e83bc5e233a63ac5ab29fc8959001be
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2X:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1512	backup.exe
856	backup.exe
836	backup.exe
1004	backup.exe
572	System Restore.exe
1572	System Restore.exe
432	backup.exe
872	backup.exe
1012	update.exe
320	backup.exe
1260	backup.exe
1800	backup.exe
840	backup.exe
1304	backup.exe
1568	backup.exe
820	backup.exe
1696	backup.exe
952	backup.exe
1388	backup.exe
1780	backup.exe
1768	backup.exe
856	backup.exe
784	backup.exe
1940	backup.exe
1324	backup.exe
2008	backup.exe
1844	backup.exe
316	backup.exe
1008	backup.exe
1880	backup.exe
1836	backup.exe
1712	data.exe
900	data.exe
320	data.exe
472	data.exe
1480	backup.exe
1328	backup.exe
1012	backup.exe
744	backup.exe
1172	backup.exe
956	backup.exe
1728	backup.exe
740	backup.exe
1064	backup.exe
1968	backup.exe
112	backup.exe
1356	backup.exe
960	backup.exe
1596	backup.exe
1716	backup.exe
1616	backup.exe
1388	backup.exe
1424	backup.exe
1228	backup.exe
2016	backup.exe
368	update.exe
932	backup.exe
1572	backup.exe
1608	backup.exe
1556	backup.exe
1396	backup.exe
1268	backup.exe
1984	backup.exe
1328	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
432	backup.exe
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1012	update.exe
1012	update.exe
1012	update.exe
1012	update.exe
1012	update.exe
320	backup.exe
320	backup.exe
320	backup.exe
432	backup.exe
432	backup.exe
1260	backup.exe
1260	backup.exe
1800	backup.exe
1800	backup.exe
1260	backup.exe
1260	backup.exe
1304	backup.exe
1304	backup.exe
1568	backup.exe
1568	backup.exe
1568	backup.exe
1568	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
1696	backup.exe
432	backup.exe
1696	backup.exe
1304	backup.exe
1304	backup.exe
432	backup.exe
1568	backup.exe
1568	backup.exe
1696	backup.exe
432	backup.exe
1696	backup.exe
432	backup.exe
1260	backup.exe
1568	backup.exe
1260	backup.exe
1568	backup.exe
1304	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	update.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	update.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\update.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
1512	backup.exe
856	backup.exe
836	backup.exe
1004	backup.exe
572	System Restore.exe
1572	System Restore.exe
432	backup.exe
872	backup.exe
1012	update.exe
320	backup.exe
1260	backup.exe
1800	backup.exe
840	backup.exe
1304	backup.exe
1568	backup.exe
820	backup.exe
1696	backup.exe
952	backup.exe
1388	backup.exe
1780	backup.exe
1768	backup.exe
856	backup.exe
784	backup.exe
1940	backup.exe
2008	backup.exe
1324	backup.exe
316	backup.exe
1844	backup.exe
1880	backup.exe
1008	backup.exe
1836	backup.exe
320	data.exe
1480	backup.exe
1328	backup.exe
472	data.exe
1012	backup.exe
1712	data.exe
900	data.exe
744	backup.exe
1172	backup.exe
1728	backup.exe
1064	backup.exe
956	backup.exe
740	backup.exe
112	backup.exe
1968	backup.exe
1356	backup.exe
960	backup.exe
1616	backup.exe
1424	backup.exe
1716	backup.exe
1388	backup.exe
932	backup.exe
368	update.exe
1608	backup.exe
2016	backup.exe
1228	backup.exe
1572	backup.exe
1556	backup.exe
1268	backup.exe
1984	backup.exe
1396	backup.exe
1328	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1512	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	27
PID 1736 wrote to memory of 1512	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	27
PID 1736 wrote to memory of 1512	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	27
PID 1736 wrote to memory of 1512	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	27
PID 1736 wrote to memory of 856	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	28
PID 1736 wrote to memory of 856	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	28
PID 1736 wrote to memory of 856	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	28
PID 1736 wrote to memory of 856	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	28
PID 1736 wrote to memory of 836	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	29
PID 1736 wrote to memory of 836	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	29
PID 1736 wrote to memory of 836	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	29
PID 1736 wrote to memory of 836	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	29
PID 1736 wrote to memory of 1004	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	30
PID 1736 wrote to memory of 1004	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	30
PID 1736 wrote to memory of 1004	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	30
PID 1736 wrote to memory of 1004	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	30
PID 1736 wrote to memory of 572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	31
PID 1736 wrote to memory of 572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	31
PID 1736 wrote to memory of 572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	31
PID 1736 wrote to memory of 572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	31
PID 1736 wrote to memory of 1572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	32
PID 1736 wrote to memory of 1572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	32
PID 1736 wrote to memory of 1572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	32
PID 1736 wrote to memory of 1572	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	32
PID 1512 wrote to memory of 432	1512	backup.exe	33
PID 1512 wrote to memory of 432	1512	backup.exe	33
PID 1512 wrote to memory of 432	1512	backup.exe	33
PID 1512 wrote to memory of 432	1512	backup.exe	33
PID 1736 wrote to memory of 872	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	34
PID 1736 wrote to memory of 872	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	34
PID 1736 wrote to memory of 872	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	34
PID 1736 wrote to memory of 872	1736	526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe	34
PID 432 wrote to memory of 1012	432	backup.exe	35
PID 432 wrote to memory of 1012	432	backup.exe	35
PID 432 wrote to memory of 1012	432	backup.exe	35
PID 432 wrote to memory of 1012	432	backup.exe	35
PID 432 wrote to memory of 1012	432	backup.exe	35
PID 432 wrote to memory of 1012	432	backup.exe	35
PID 432 wrote to memory of 1012	432	backup.exe	35
PID 1012 wrote to memory of 320	1012	update.exe	36
PID 1012 wrote to memory of 320	1012	update.exe	36
PID 1012 wrote to memory of 320	1012	update.exe	36
PID 1012 wrote to memory of 320	1012	update.exe	36
PID 1012 wrote to memory of 320	1012	update.exe	36
PID 1012 wrote to memory of 320	1012	update.exe	36
PID 1012 wrote to memory of 320	1012	update.exe	36
PID 432 wrote to memory of 1260	432	backup.exe	37
PID 432 wrote to memory of 1260	432	backup.exe	37
PID 432 wrote to memory of 1260	432	backup.exe	37
PID 432 wrote to memory of 1260	432	backup.exe	37
PID 1260 wrote to memory of 1800	1260	backup.exe	38
PID 1260 wrote to memory of 1800	1260	backup.exe	38
PID 1260 wrote to memory of 1800	1260	backup.exe	38
PID 1260 wrote to memory of 1800	1260	backup.exe	38
PID 1800 wrote to memory of 840	1800	backup.exe	39
PID 1800 wrote to memory of 840	1800	backup.exe	39
PID 1800 wrote to memory of 840	1800	backup.exe	39
PID 1800 wrote to memory of 840	1800	backup.exe	39
PID 1260 wrote to memory of 1304	1260	backup.exe	40
PID 1260 wrote to memory of 1304	1260	backup.exe	40
PID 1260 wrote to memory of 1304	1260	backup.exe	40
PID 1260 wrote to memory of 1304	1260	backup.exe	40
PID 1304 wrote to memory of 1568	1304	backup.exe	41
PID 1304 wrote to memory of 1568	1304	backup.exe	41

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe
"C:\Users\Admin\AppData\Local\Temp\526d5c97dc0a09ccc32bce806b2a17d998ac70e1ae4edc12e59dfbea6a76ca0b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\3274262145\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3274262145\backup.exe C:\Users\Admin\AppData\Local\Temp\3274262145\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1512
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\PerfLogs\update.exe
      C:\PerfLogs\update.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1012
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:320
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1800
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1304
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1424
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1328
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1248
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:924
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1984
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1836
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1012
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Program Files\Common Files\System\ado\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\update.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1660
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1720
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2012
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:1940
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1344
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1324
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1440
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1964
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1008
      - C:\Program Files\DVD Maker\de-DE\data.exe
        
        "C:\Program Files\DVD Maker\de-DE\data.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:472
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1608
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1396
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2004
      - C:\Program Files\DVD Maker\Shared\data.exe
        
        "C:\Program Files\DVD Maker\Shared\data.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1168
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1424
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:472
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1268
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Disables RegEdit via registry modification
        
        PID:576
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1608
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:960
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:768
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:876
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:472
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1572
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:784
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1712
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1044
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:612
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:456
      - C:\Program Files (x86)\Common Files\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1172
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:900
      - C:\Program Files (x86)\Google\CrashReports\data.exe
        
        "C:\Program Files (x86)\Google\CrashReports\data.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1968
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:316
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1172
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        
        PID:1596
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1296
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1396
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      PID:1628
    - - C:\Windows\addins\update.exe
        
        C:\Windows\addins\update.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1344
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:856
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:836
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:572
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
317b6e010e5e120b0206640741aaf908

SHA1
00a010f6e0ce1919134d5ddd0dfdeb1dcb720e95

SHA256
cc86c1e6829345e5ec62e9a2c12a69a82b510970e2bfa63514b5d278cf3333fb

SHA512
846f193832dd9f65ca07b9668925382525c30459177a3d1f9c07bb636129db995ab58285c92997252c9c316d6763cdc953ea62921800c88204fb78c008ddf587

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
317b6e010e5e120b0206640741aaf908

SHA1
00a010f6e0ce1919134d5ddd0dfdeb1dcb720e95

SHA256
cc86c1e6829345e5ec62e9a2c12a69a82b510970e2bfa63514b5d278cf3333fb

SHA512
846f193832dd9f65ca07b9668925382525c30459177a3d1f9c07bb636129db995ab58285c92997252c9c316d6763cdc953ea62921800c88204fb78c008ddf587

Download Submit
C:\PerfLogs\update.exe

Filesize
72KB

MD5
1ce844ecf07dd0a7db1a568598d6cc95

SHA1
34813846be65fc173b36a7ec1ba087b1dff18774

SHA256
0cf5436d28475cb95b0306b427427b206a0e4302b0d66fbf2c4d81cce720ee1b

SHA512
28cc17ec733d5bc0db5fd79c2543330b5f6e78d5963141193021382a12bd754240c696793e61c0bc9a112eb25ad29381d0b1a1aff3424fb8ce63bcb79459441d

Download Submit
C:\PerfLogs\update.exe

Filesize
72KB

MD5
1ce844ecf07dd0a7db1a568598d6cc95

SHA1
34813846be65fc173b36a7ec1ba087b1dff18774

SHA256
0cf5436d28475cb95b0306b427427b206a0e4302b0d66fbf2c4d81cce720ee1b

SHA512
28cc17ec733d5bc0db5fd79c2543330b5f6e78d5963141193021382a12bd754240c696793e61c0bc9a112eb25ad29381d0b1a1aff3424fb8ce63bcb79459441d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
93ebd6000f0af9333c91f0290d2ef8ed

SHA1
aa0f724bfdbf348a13334e9f8a2468a16d10cded

SHA256
b16974bb04ba5a6153f33c19c137953e609c973682ea5fa5cc1e901b8ee0a5d1

SHA512
44762af27d5e98dafb2737ef70213d1926a802c2b3c1c47147473f80cb969ed3c5d1ef8b9f30a803e0a3dfa39a1b63cab02f9778329f74d1e05f092327d112f8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
f618381ceb1f979235072cb84ee244e8

SHA1
908573f3a0b1954de9a8ad01479c48f7599b400e

SHA256
658ec1a838af7086a03d2a78714664f9c6e635e24c6948bab5fdffe09c291a96

SHA512
9eb9c2e5a038d5d60ab696b064eb2fb0b1c73a549ea06b01e6f59b5c2246a29718925103d4c1241b28f79c7c803446a8045af34f46531019d0a853c5826c6450

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2dc44c1459774e2d699641d8523ea8c3

SHA1
6ab03de94a7e75b7d5df317497a640be62bc8b02

SHA256
4281d100a3a82429d65625656c1b6201e4fa5543775c1bf28dcf2057c3f496e7

SHA512
db34f55145085f90e8e69d5cef3d261dd6e3ed222141cf25db141b7a86385426a7bab9a693c340646d2caecd0fce257255c6e75c4a5821a088a319b16b40204d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2dc44c1459774e2d699641d8523ea8c3

SHA1
6ab03de94a7e75b7d5df317497a640be62bc8b02

SHA256
4281d100a3a82429d65625656c1b6201e4fa5543775c1bf28dcf2057c3f496e7

SHA512
db34f55145085f90e8e69d5cef3d261dd6e3ed222141cf25db141b7a86385426a7bab9a693c340646d2caecd0fce257255c6e75c4a5821a088a319b16b40204d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f618381ceb1f979235072cb84ee244e8

SHA1
908573f3a0b1954de9a8ad01479c48f7599b400e

SHA256
658ec1a838af7086a03d2a78714664f9c6e635e24c6948bab5fdffe09c291a96

SHA512
9eb9c2e5a038d5d60ab696b064eb2fb0b1c73a549ea06b01e6f59b5c2246a29718925103d4c1241b28f79c7c803446a8045af34f46531019d0a853c5826c6450

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f618381ceb1f979235072cb84ee244e8

SHA1
908573f3a0b1954de9a8ad01479c48f7599b400e

SHA256
658ec1a838af7086a03d2a78714664f9c6e635e24c6948bab5fdffe09c291a96

SHA512
9eb9c2e5a038d5d60ab696b064eb2fb0b1c73a549ea06b01e6f59b5c2246a29718925103d4c1241b28f79c7c803446a8045af34f46531019d0a853c5826c6450

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
166292cd152f4faef8150d6bf079e403

SHA1
9b95f7523afbd47f50fb955bd3cecf8da2d3fbec

SHA256
4d5f408f8413e14f92abe40fb35ed0795ccef28e436f226a2482ae6543942da5

SHA512
2cc7ad92557c61d4adbc181cb904cef4b480365a59485c75ce03a40612b85bfa48668711004cb7139f9eb45492d55ae62f8ccf7ee76d71c921ce7fa9e5391b52

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
166292cd152f4faef8150d6bf079e403

SHA1
9b95f7523afbd47f50fb955bd3cecf8da2d3fbec

SHA256
4d5f408f8413e14f92abe40fb35ed0795ccef28e436f226a2482ae6543942da5

SHA512
2cc7ad92557c61d4adbc181cb904cef4b480365a59485c75ce03a40612b85bfa48668711004cb7139f9eb45492d55ae62f8ccf7ee76d71c921ce7fa9e5391b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\3274262145\backup.exe

Filesize
72KB

MD5
c78a5a208319a640c3c6237920077811

SHA1
1539fdf62c8de16257ab989a55283f325ded1f48

SHA256
fcff1ee94d9c181ecdf8c2e97ae57d4a3d339bf3e8a4d23a3f4e7fa91c51d4bc

SHA512
370486535663d66c0555bdb9f16c28aeb5d983e7aeb19260cdfd87e10477510349a0f4480186553a25dc6182571d57b1fd20ef475073495e88157874ddd9985a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3274262145\backup.exe

Filesize
72KB

MD5
c78a5a208319a640c3c6237920077811

SHA1
1539fdf62c8de16257ab989a55283f325ded1f48

SHA256
fcff1ee94d9c181ecdf8c2e97ae57d4a3d339bf3e8a4d23a3f4e7fa91c51d4bc

SHA512
370486535663d66c0555bdb9f16c28aeb5d983e7aeb19260cdfd87e10477510349a0f4480186553a25dc6182571d57b1fd20ef475073495e88157874ddd9985a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
719d6d1fc539c68a8bde645667300335

SHA1
6a6351f80c934117151161788c4f10a912e5f5f4

SHA256
711a0e58f1bfd65be691b9a98c183470460010423d07613c1a99f69eefd3bd79

SHA512
942e290ecb740ab64119f7ed28a41b0f9b8c7399e7bc872fa4d8ee3984f309877fe3c9c82023e3e37bd2264411b6b75229091d398dcba30d1b1fb23a89682c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
c78a5a208319a640c3c6237920077811

SHA1
1539fdf62c8de16257ab989a55283f325ded1f48

SHA256
fcff1ee94d9c181ecdf8c2e97ae57d4a3d339bf3e8a4d23a3f4e7fa91c51d4bc

SHA512
370486535663d66c0555bdb9f16c28aeb5d983e7aeb19260cdfd87e10477510349a0f4480186553a25dc6182571d57b1fd20ef475073495e88157874ddd9985a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8a5bd68c8cda0069baf756abe02169a1

SHA1
09e54ba0e6ec3a32924fbe43065b2106a5983592

SHA256
6cc9ff3fd783c109047520cdf76a166f0ef1f011f06fae43879911bd3bb3e402

SHA512
f1c2856e2088be4acae914c624565c14c1bfad0a1c27103953eb99e12d7cf671deb1dcb93619861d1ea79a82159989c791be19a92b10c523e1fe3441222c4335

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8a5bd68c8cda0069baf756abe02169a1

SHA1
09e54ba0e6ec3a32924fbe43065b2106a5983592

SHA256
6cc9ff3fd783c109047520cdf76a166f0ef1f011f06fae43879911bd3bb3e402

SHA512
f1c2856e2088be4acae914c624565c14c1bfad0a1c27103953eb99e12d7cf671deb1dcb93619861d1ea79a82159989c791be19a92b10c523e1fe3441222c4335

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
317b6e010e5e120b0206640741aaf908

SHA1
00a010f6e0ce1919134d5ddd0dfdeb1dcb720e95

SHA256
cc86c1e6829345e5ec62e9a2c12a69a82b510970e2bfa63514b5d278cf3333fb

SHA512
846f193832dd9f65ca07b9668925382525c30459177a3d1f9c07bb636129db995ab58285c92997252c9c316d6763cdc953ea62921800c88204fb78c008ddf587

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
317b6e010e5e120b0206640741aaf908

SHA1
00a010f6e0ce1919134d5ddd0dfdeb1dcb720e95

SHA256
cc86c1e6829345e5ec62e9a2c12a69a82b510970e2bfa63514b5d278cf3333fb

SHA512
846f193832dd9f65ca07b9668925382525c30459177a3d1f9c07bb636129db995ab58285c92997252c9c316d6763cdc953ea62921800c88204fb78c008ddf587

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
317b6e010e5e120b0206640741aaf908

SHA1
00a010f6e0ce1919134d5ddd0dfdeb1dcb720e95

SHA256
cc86c1e6829345e5ec62e9a2c12a69a82b510970e2bfa63514b5d278cf3333fb

SHA512
846f193832dd9f65ca07b9668925382525c30459177a3d1f9c07bb636129db995ab58285c92997252c9c316d6763cdc953ea62921800c88204fb78c008ddf587

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
317b6e010e5e120b0206640741aaf908

SHA1
00a010f6e0ce1919134d5ddd0dfdeb1dcb720e95

SHA256
cc86c1e6829345e5ec62e9a2c12a69a82b510970e2bfa63514b5d278cf3333fb

SHA512
846f193832dd9f65ca07b9668925382525c30459177a3d1f9c07bb636129db995ab58285c92997252c9c316d6763cdc953ea62921800c88204fb78c008ddf587

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
317b6e010e5e120b0206640741aaf908

SHA1
00a010f6e0ce1919134d5ddd0dfdeb1dcb720e95

SHA256
cc86c1e6829345e5ec62e9a2c12a69a82b510970e2bfa63514b5d278cf3333fb

SHA512
846f193832dd9f65ca07b9668925382525c30459177a3d1f9c07bb636129db995ab58285c92997252c9c316d6763cdc953ea62921800c88204fb78c008ddf587

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
1ce844ecf07dd0a7db1a568598d6cc95

SHA1
34813846be65fc173b36a7ec1ba087b1dff18774

SHA256
0cf5436d28475cb95b0306b427427b206a0e4302b0d66fbf2c4d81cce720ee1b

SHA512
28cc17ec733d5bc0db5fd79c2543330b5f6e78d5963141193021382a12bd754240c696793e61c0bc9a112eb25ad29381d0b1a1aff3424fb8ce63bcb79459441d

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
1ce844ecf07dd0a7db1a568598d6cc95

SHA1
34813846be65fc173b36a7ec1ba087b1dff18774

SHA256
0cf5436d28475cb95b0306b427427b206a0e4302b0d66fbf2c4d81cce720ee1b

SHA512
28cc17ec733d5bc0db5fd79c2543330b5f6e78d5963141193021382a12bd754240c696793e61c0bc9a112eb25ad29381d0b1a1aff3424fb8ce63bcb79459441d

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
1ce844ecf07dd0a7db1a568598d6cc95

SHA1
34813846be65fc173b36a7ec1ba087b1dff18774

SHA256
0cf5436d28475cb95b0306b427427b206a0e4302b0d66fbf2c4d81cce720ee1b

SHA512
28cc17ec733d5bc0db5fd79c2543330b5f6e78d5963141193021382a12bd754240c696793e61c0bc9a112eb25ad29381d0b1a1aff3424fb8ce63bcb79459441d

Download Submit
\PerfLogs\update.exe

Filesize
72KB

MD5
1ce844ecf07dd0a7db1a568598d6cc95

SHA1
34813846be65fc173b36a7ec1ba087b1dff18774

SHA256
0cf5436d28475cb95b0306b427427b206a0e4302b0d66fbf2c4d81cce720ee1b

SHA512
28cc17ec733d5bc0db5fd79c2543330b5f6e78d5963141193021382a12bd754240c696793e61c0bc9a112eb25ad29381d0b1a1aff3424fb8ce63bcb79459441d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
93ebd6000f0af9333c91f0290d2ef8ed

SHA1
aa0f724bfdbf348a13334e9f8a2468a16d10cded

SHA256
b16974bb04ba5a6153f33c19c137953e609c973682ea5fa5cc1e901b8ee0a5d1

SHA512
44762af27d5e98dafb2737ef70213d1926a802c2b3c1c47147473f80cb969ed3c5d1ef8b9f30a803e0a3dfa39a1b63cab02f9778329f74d1e05f092327d112f8

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
93ebd6000f0af9333c91f0290d2ef8ed

SHA1
aa0f724bfdbf348a13334e9f8a2468a16d10cded

SHA256
b16974bb04ba5a6153f33c19c137953e609c973682ea5fa5cc1e901b8ee0a5d1

SHA512
44762af27d5e98dafb2737ef70213d1926a802c2b3c1c47147473f80cb969ed3c5d1ef8b9f30a803e0a3dfa39a1b63cab02f9778329f74d1e05f092327d112f8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
f618381ceb1f979235072cb84ee244e8

SHA1
908573f3a0b1954de9a8ad01479c48f7599b400e

SHA256
658ec1a838af7086a03d2a78714664f9c6e635e24c6948bab5fdffe09c291a96

SHA512
9eb9c2e5a038d5d60ab696b064eb2fb0b1c73a549ea06b01e6f59b5c2246a29718925103d4c1241b28f79c7c803446a8045af34f46531019d0a853c5826c6450

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
f618381ceb1f979235072cb84ee244e8

SHA1
908573f3a0b1954de9a8ad01479c48f7599b400e

SHA256
658ec1a838af7086a03d2a78714664f9c6e635e24c6948bab5fdffe09c291a96

SHA512
9eb9c2e5a038d5d60ab696b064eb2fb0b1c73a549ea06b01e6f59b5c2246a29718925103d4c1241b28f79c7c803446a8045af34f46531019d0a853c5826c6450

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2dc44c1459774e2d699641d8523ea8c3

SHA1
6ab03de94a7e75b7d5df317497a640be62bc8b02

SHA256
4281d100a3a82429d65625656c1b6201e4fa5543775c1bf28dcf2057c3f496e7

SHA512
db34f55145085f90e8e69d5cef3d261dd6e3ed222141cf25db141b7a86385426a7bab9a693c340646d2caecd0fce257255c6e75c4a5821a088a319b16b40204d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2dc44c1459774e2d699641d8523ea8c3

SHA1
6ab03de94a7e75b7d5df317497a640be62bc8b02

SHA256
4281d100a3a82429d65625656c1b6201e4fa5543775c1bf28dcf2057c3f496e7

SHA512
db34f55145085f90e8e69d5cef3d261dd6e3ed222141cf25db141b7a86385426a7bab9a693c340646d2caecd0fce257255c6e75c4a5821a088a319b16b40204d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f1309f92cf4dbc67eeabd11853461cb6

SHA1
e639bbeccfb373605106ae4f65c88e1526dc04f8

SHA256
d0376a0a3f2ca2514390920918188ed2802a209af9833366135983834b60a7c8

SHA512
9a71805a7e1d767c6655f71e20565863e2e11b65d47413a07c4097b602ca9c4248f240c0a83671b28af8362233c95f7f1c23365f76b1f81c92f66af2440c78ed

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f618381ceb1f979235072cb84ee244e8

SHA1
908573f3a0b1954de9a8ad01479c48f7599b400e

SHA256
658ec1a838af7086a03d2a78714664f9c6e635e24c6948bab5fdffe09c291a96

SHA512
9eb9c2e5a038d5d60ab696b064eb2fb0b1c73a549ea06b01e6f59b5c2246a29718925103d4c1241b28f79c7c803446a8045af34f46531019d0a853c5826c6450

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
f618381ceb1f979235072cb84ee244e8

SHA1
908573f3a0b1954de9a8ad01479c48f7599b400e

SHA256
658ec1a838af7086a03d2a78714664f9c6e635e24c6948bab5fdffe09c291a96

SHA512
9eb9c2e5a038d5d60ab696b064eb2fb0b1c73a549ea06b01e6f59b5c2246a29718925103d4c1241b28f79c7c803446a8045af34f46531019d0a853c5826c6450

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
098f0b4cc89871fcb915f42f9530137c

SHA1
1ff24a95a52a934c1dd5ebbf250aff38d22c0190

SHA256
a0e53bdc6af7623d2f31e0fcdfdbccb66e3a36328a321777c4402552100d71a3

SHA512
d70cbddaab79d5ca7f55b5ef68897131ab58cb3350192b6e9d36b9f812b029da1a2fb3c6de5d5ef080ea8166119219f8b73b9d64c323f5cc469e93eb63f649ea

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
166292cd152f4faef8150d6bf079e403

SHA1
9b95f7523afbd47f50fb955bd3cecf8da2d3fbec

SHA256
4d5f408f8413e14f92abe40fb35ed0795ccef28e436f226a2482ae6543942da5

SHA512
2cc7ad92557c61d4adbc181cb904cef4b480365a59485c75ce03a40612b85bfa48668711004cb7139f9eb45492d55ae62f8ccf7ee76d71c921ce7fa9e5391b52

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
166292cd152f4faef8150d6bf079e403

SHA1
9b95f7523afbd47f50fb955bd3cecf8da2d3fbec

SHA256
4d5f408f8413e14f92abe40fb35ed0795ccef28e436f226a2482ae6543942da5

SHA512
2cc7ad92557c61d4adbc181cb904cef4b480365a59485c75ce03a40612b85bfa48668711004cb7139f9eb45492d55ae62f8ccf7ee76d71c921ce7fa9e5391b52

Download Submit
\Users\Admin\AppData\Local\Temp\3274262145\backup.exe

Filesize
72KB

MD5
c78a5a208319a640c3c6237920077811

SHA1
1539fdf62c8de16257ab989a55283f325ded1f48

SHA256
fcff1ee94d9c181ecdf8c2e97ae57d4a3d339bf3e8a4d23a3f4e7fa91c51d4bc

SHA512
370486535663d66c0555bdb9f16c28aeb5d983e7aeb19260cdfd87e10477510349a0f4480186553a25dc6182571d57b1fd20ef475073495e88157874ddd9985a

Download Submit
\Users\Admin\AppData\Local\Temp\3274262145\backup.exe

Filesize
72KB

MD5
c78a5a208319a640c3c6237920077811

SHA1
1539fdf62c8de16257ab989a55283f325ded1f48

SHA256
fcff1ee94d9c181ecdf8c2e97ae57d4a3d339bf3e8a4d23a3f4e7fa91c51d4bc

SHA512
370486535663d66c0555bdb9f16c28aeb5d983e7aeb19260cdfd87e10477510349a0f4480186553a25dc6182571d57b1fd20ef475073495e88157874ddd9985a

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
719d6d1fc539c68a8bde645667300335

SHA1
6a6351f80c934117151161788c4f10a912e5f5f4

SHA256
711a0e58f1bfd65be691b9a98c183470460010423d07613c1a99f69eefd3bd79

SHA512
942e290ecb740ab64119f7ed28a41b0f9b8c7399e7bc872fa4d8ee3984f309877fe3c9c82023e3e37bd2264411b6b75229091d398dcba30d1b1fb23a89682c4c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
719d6d1fc539c68a8bde645667300335

SHA1
6a6351f80c934117151161788c4f10a912e5f5f4

SHA256
711a0e58f1bfd65be691b9a98c183470460010423d07613c1a99f69eefd3bd79

SHA512
942e290ecb740ab64119f7ed28a41b0f9b8c7399e7bc872fa4d8ee3984f309877fe3c9c82023e3e37bd2264411b6b75229091d398dcba30d1b1fb23a89682c4c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
c78a5a208319a640c3c6237920077811

SHA1
1539fdf62c8de16257ab989a55283f325ded1f48

SHA256
fcff1ee94d9c181ecdf8c2e97ae57d4a3d339bf3e8a4d23a3f4e7fa91c51d4bc

SHA512
370486535663d66c0555bdb9f16c28aeb5d983e7aeb19260cdfd87e10477510349a0f4480186553a25dc6182571d57b1fd20ef475073495e88157874ddd9985a

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
c78a5a208319a640c3c6237920077811

SHA1
1539fdf62c8de16257ab989a55283f325ded1f48

SHA256
fcff1ee94d9c181ecdf8c2e97ae57d4a3d339bf3e8a4d23a3f4e7fa91c51d4bc

SHA512
370486535663d66c0555bdb9f16c28aeb5d983e7aeb19260cdfd87e10477510349a0f4480186553a25dc6182571d57b1fd20ef475073495e88157874ddd9985a

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
72KB

MD5
ee6c583fed939ab0b4f1fe99df368079

SHA1
e512e60199ccb63609b9e70f8b4478322ebbb1d5

SHA256
b6f57eab42f5ab94c3a3c31b1087fc45be545154cef6ab36f109b00ace3597e0

SHA512
8294e3af91f3df6d84d26f530ce0f9051251b7efb2805f3cfb7346e488edbba04f005ca38bdb8f67062f617368423f10675be6376e2790dde6cf41dfcdb68c0e

Download Submit
memory/1736-108-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1736-137-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads