dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc

Analysis

max time kernel
163s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 13:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
Size

72KB
MD5

01e3b0d8ec00817e75ad9cd57caa4701
SHA1

610832027ac899372b67cbb78595b8294745585c
SHA256

dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc
SHA512

73c6643ffb3679f8cd82045bc7f4aa717356e2fa44ce456a4d38b2f13304876b9dcdcc9c32b9a76c44129e6be40e3a6c0217e769e43bbb8c2889294d4cd970ff
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf24:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPM

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 50 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 60 IoCs

pid	Process
616	backup.exe
1772	data.exe
268	backup.exe
1780	backup.exe
1788	System Restore.exe
1940	backup.exe
916	backup.exe
1692	backup.exe
1180	backup.exe
1252	backup.exe
964	backup.exe
1896	backup.exe
1200	backup.exe
1724	backup.exe
1216	backup.exe
1184	backup.exe
1704	System Restore.exe
832	backup.exe
1752	backup.exe
1332	data.exe
520	backup.exe
392	backup.exe
564	backup.exe
1356	backup.exe
1164	backup.exe
1788	backup.exe
548	update.exe
748	backup.exe
324	backup.exe
556	backup.exe
272	backup.exe
1092	backup.exe
600	backup.exe
1528	backup.exe
1280	backup.exe
1820	backup.exe
1660	backup.exe
1188	backup.exe
1784	data.exe
1816	backup.exe
940	backup.exe
888	backup.exe
1612	backup.exe
1156	backup.exe
828	backup.exe
1048	backup.exe
1688	backup.exe
624	backup.exe
1760	backup.exe
392	backup.exe
1356	backup.exe
1580	backup.exe
876	backup.exe
1656	System Restore.exe
1044	backup.exe
2040	backup.exe
1832	backup.exe
1752	backup.exe
1984	System Restore.exe
756	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1940	backup.exe
1940	backup.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
1692	backup.exe
1692	backup.exe
1940	backup.exe
1940	backup.exe
964	backup.exe
964	backup.exe
1896	backup.exe
1896	backup.exe
964	backup.exe
964	backup.exe
1724	backup.exe
1724	backup.exe
1216	backup.exe
1216	backup.exe
1216	backup.exe
1216	backup.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1704	System Restore.exe
1940	backup.exe
1940	backup.exe
964	backup.exe
1724	backup.exe
1704	System Restore.exe
964	backup.exe
1724	backup.exe
1216	backup.exe
1216	backup.exe
548	update.exe
548	update.exe
748	backup.exe
1940	backup.exe

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe	System Restore.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Internet Explorer\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	System Restore.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
616	backup.exe
1772	data.exe
268	backup.exe
1780	backup.exe
1788	System Restore.exe
1940	backup.exe
916	backup.exe
1692	backup.exe
1180	backup.exe
1252	backup.exe
964	backup.exe
1896	backup.exe
1200	backup.exe
1724	backup.exe
1216	backup.exe
1184	backup.exe
1704	System Restore.exe
832	backup.exe
1752	backup.exe
1332	data.exe
520	backup.exe
392	backup.exe
564	backup.exe
1356	backup.exe
1164	backup.exe
1788	backup.exe
748	backup.exe
324	backup.exe
272	backup.exe
556	backup.exe
1092	backup.exe
600	backup.exe
1528	backup.exe
1280	backup.exe
1820	backup.exe
1660	backup.exe
548	update.exe
1784	data.exe
1188	backup.exe
1816	backup.exe
1612	backup.exe
828	backup.exe
888	backup.exe
940	backup.exe
1156	backup.exe
1048	backup.exe
1688	backup.exe
624	backup.exe
1356	backup.exe
876	backup.exe
1656	System Restore.exe
1580	backup.exe
1044	backup.exe
1832	backup.exe
2040	backup.exe
1752	backup.exe
1984	System Restore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 616	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	28
PID 1648 wrote to memory of 616	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	28
PID 1648 wrote to memory of 616	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	28
PID 1648 wrote to memory of 616	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	28
PID 1648 wrote to memory of 1772	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	29
PID 1648 wrote to memory of 1772	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	29
PID 1648 wrote to memory of 1772	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	29
PID 1648 wrote to memory of 1772	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	29
PID 1648 wrote to memory of 268	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	30
PID 1648 wrote to memory of 268	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	30
PID 1648 wrote to memory of 268	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	30
PID 1648 wrote to memory of 268	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	30
PID 1648 wrote to memory of 1780	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	31
PID 1648 wrote to memory of 1780	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	31
PID 1648 wrote to memory of 1780	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	31
PID 1648 wrote to memory of 1780	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	31
PID 616 wrote to memory of 1940	616	backup.exe	32
PID 616 wrote to memory of 1940	616	backup.exe	32
PID 616 wrote to memory of 1940	616	backup.exe	32
PID 616 wrote to memory of 1940	616	backup.exe	32
PID 1648 wrote to memory of 1788	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	33
PID 1648 wrote to memory of 1788	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	33
PID 1648 wrote to memory of 1788	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	33
PID 1648 wrote to memory of 1788	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	33
PID 1648 wrote to memory of 916	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	34
PID 1648 wrote to memory of 916	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	34
PID 1648 wrote to memory of 916	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	34
PID 1648 wrote to memory of 916	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	34
PID 1940 wrote to memory of 1692	1940	backup.exe	35
PID 1940 wrote to memory of 1692	1940	backup.exe	35
PID 1940 wrote to memory of 1692	1940	backup.exe	35
PID 1940 wrote to memory of 1692	1940	backup.exe	35
PID 1648 wrote to memory of 1180	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	36
PID 1648 wrote to memory of 1180	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	36
PID 1648 wrote to memory of 1180	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	36
PID 1648 wrote to memory of 1180	1648	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe	36
PID 1692 wrote to memory of 1252	1692	backup.exe	37
PID 1692 wrote to memory of 1252	1692	backup.exe	37
PID 1692 wrote to memory of 1252	1692	backup.exe	37
PID 1692 wrote to memory of 1252	1692	backup.exe	37
PID 1940 wrote to memory of 964	1940	backup.exe	38
PID 1940 wrote to memory of 964	1940	backup.exe	38
PID 1940 wrote to memory of 964	1940	backup.exe	38
PID 1940 wrote to memory of 964	1940	backup.exe	38
PID 964 wrote to memory of 1896	964	backup.exe	39
PID 964 wrote to memory of 1896	964	backup.exe	39
PID 964 wrote to memory of 1896	964	backup.exe	39
PID 964 wrote to memory of 1896	964	backup.exe	39
PID 1896 wrote to memory of 1200	1896	backup.exe	40
PID 1896 wrote to memory of 1200	1896	backup.exe	40
PID 1896 wrote to memory of 1200	1896	backup.exe	40
PID 1896 wrote to memory of 1200	1896	backup.exe	40
PID 964 wrote to memory of 1724	964	backup.exe	41
PID 964 wrote to memory of 1724	964	backup.exe	41
PID 964 wrote to memory of 1724	964	backup.exe	41
PID 964 wrote to memory of 1724	964	backup.exe	41
PID 1724 wrote to memory of 1216	1724	backup.exe	42
PID 1724 wrote to memory of 1216	1724	backup.exe	42
PID 1724 wrote to memory of 1216	1724	backup.exe	42
PID 1724 wrote to memory of 1216	1724	backup.exe	42
PID 1216 wrote to memory of 1184	1216	backup.exe	43
PID 1216 wrote to memory of 1184	1216	backup.exe	43
PID 1216 wrote to memory of 1184	1216	backup.exe	43
PID 1216 wrote to memory of 1184	1216	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe
"C:\Users\Admin\AppData\Local\Temp\dd6ec16c3f70696adf3f61d9101ef708c2cfaade3d5947a9c4a72e514ed11fdc.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1648
- C:\Users\Admin\AppData\Local\Temp\1255013681\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1255013681\backup.exe C:\Users\Admin\AppData\Local\Temp\1255013681\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:616
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1692
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:964
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1896
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1200
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1724
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1184
        
        C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:556
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:324
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1156
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:272
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:828
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1688
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:624
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1832
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1528
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
    - - C:\Program Files\Internet Explorer\System Restore.exe
        
        "C:\Program Files\Internet Explorer\System Restore.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:748
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:600
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
    - - C:\Program Files (x86)\Common Files\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System Restore.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Executes dropped EXE
        
        PID:756
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1092
    - - C:\Users\Admin\data.exe
        
        C:\Users\Admin\data.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1048
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        
        PID:1760
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2040
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:268
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:916
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ffb9382597edac0f0bc08be96a8a89dd

SHA1
f15596a1e96fba2ae7927423ed569c6bbde8c659

SHA256
1f0f42f7808c8a826e15a9855c3aa68cc67648c02015a129212f885120acd31d

SHA512
1685a0df22d5304442c868b858799d54bd17395fc7d802e4124df3ebd2a2e6856ee3576997cdfbfeaa72ff28bd7b9c3d1468ba89fa010758d5d2c8ec41981145

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
579b0981636eeeaaa5f9dcdd34058ed3

SHA1
6077b304861b0a6a813f4a12239d809af5d68e5d

SHA256
8239bb4cf4bf6aaf204a5ef7f32aa996cfafb101195a41474dcd61cdba0f5c2d

SHA512
c928a931485e1ad79fcb2eedcf941e255374c2002f352fd4136b17cd54f523558dd8bb2643a55b72a3854e5b57d12eabc127abc2ffbca558fd30532357f498ef

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
579b0981636eeeaaa5f9dcdd34058ed3

SHA1
6077b304861b0a6a813f4a12239d809af5d68e5d

SHA256
8239bb4cf4bf6aaf204a5ef7f32aa996cfafb101195a41474dcd61cdba0f5c2d

SHA512
c928a931485e1ad79fcb2eedcf941e255374c2002f352fd4136b17cd54f523558dd8bb2643a55b72a3854e5b57d12eabc127abc2ffbca558fd30532357f498ef

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
0468ceb976c9d2f01a94d127a3f7a179

SHA1
ced3048eaa475de81008a87cd98784271fdf1cd1

SHA256
95974ea71dec01712c29b750ba5fd02e2cfd4ce0dbbb6ecd5780b5d3b879751b

SHA512
754d86f33ee421d4d4da61834817ed0821eef6aabd922b39d26ee2f63e143b2d17965cbeaa933151dcfd618806c6c303f0808cba06bfbc6664a10217e3e76969

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
3088498402b2c021f1c021b53b1f058f

SHA1
0619b66f3935c2e50094d93405d31d5f09530221

SHA256
e42a4b00f4a43d02e8fc3ebebb3f9f90ad02a2c492d817e672a3d5698629e62b

SHA512
d8c3a3137ee36c4898b74d09d24148356bac3134dabc24a599872d4b4193e537152e0be06f8d7e72b457ca68e04c31dec52660a18cf192ce47e2081ff951c79d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0468ceb976c9d2f01a94d127a3f7a179

SHA1
ced3048eaa475de81008a87cd98784271fdf1cd1

SHA256
95974ea71dec01712c29b750ba5fd02e2cfd4ce0dbbb6ecd5780b5d3b879751b

SHA512
754d86f33ee421d4d4da61834817ed0821eef6aabd922b39d26ee2f63e143b2d17965cbeaa933151dcfd618806c6c303f0808cba06bfbc6664a10217e3e76969

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0468ceb976c9d2f01a94d127a3f7a179

SHA1
ced3048eaa475de81008a87cd98784271fdf1cd1

SHA256
95974ea71dec01712c29b750ba5fd02e2cfd4ce0dbbb6ecd5780b5d3b879751b

SHA512
754d86f33ee421d4d4da61834817ed0821eef6aabd922b39d26ee2f63e143b2d17965cbeaa933151dcfd618806c6c303f0808cba06bfbc6664a10217e3e76969

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe

Filesize
72KB

MD5
3088498402b2c021f1c021b53b1f058f

SHA1
0619b66f3935c2e50094d93405d31d5f09530221

SHA256
e42a4b00f4a43d02e8fc3ebebb3f9f90ad02a2c492d817e672a3d5698629e62b

SHA512
d8c3a3137ee36c4898b74d09d24148356bac3134dabc24a599872d4b4193e537152e0be06f8d7e72b457ca68e04c31dec52660a18cf192ce47e2081ff951c79d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe

Filesize
72KB

MD5
3088498402b2c021f1c021b53b1f058f

SHA1
0619b66f3935c2e50094d93405d31d5f09530221

SHA256
e42a4b00f4a43d02e8fc3ebebb3f9f90ad02a2c492d817e672a3d5698629e62b

SHA512
d8c3a3137ee36c4898b74d09d24148356bac3134dabc24a599872d4b4193e537152e0be06f8d7e72b457ca68e04c31dec52660a18cf192ce47e2081ff951c79d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
ec51c5c729501c646423525d7b5ef017

SHA1
baf68f7114e467440a98b9401d74cc32cf324757

SHA256
d0e431d6ed3b048e095885b412970993a3fb8e92000d85a8624e197cc47fd649

SHA512
33d952fe632d14b5cc521997b84209def8c06cfeb25354d3b6ef8eb9de42024286534d75a0774a41d315b95a4e27be20ec775729b27d16332dc75d35151f769b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
ec51c5c729501c646423525d7b5ef017

SHA1
baf68f7114e467440a98b9401d74cc32cf324757

SHA256
d0e431d6ed3b048e095885b412970993a3fb8e92000d85a8624e197cc47fd649

SHA512
33d952fe632d14b5cc521997b84209def8c06cfeb25354d3b6ef8eb9de42024286534d75a0774a41d315b95a4e27be20ec775729b27d16332dc75d35151f769b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b1c71d518f76ae1e1a9787cda9fc85f6

SHA1
3662acce1a4e5f4b0b0c2ee3cf767d1fcfe97b35

SHA256
8432e37fa013db9758443d8848735a956ccd945a38311890ba71c127a4d98535

SHA512
b50525d128dcebd84d8717a3739060ec55ce461c92733000401ad0b8c81110450cab16b453b510ee4bb7f5c3cba26f5d82cdab347ae9852f1257b8020700e3f9

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b1c71d518f76ae1e1a9787cda9fc85f6

SHA1
3662acce1a4e5f4b0b0c2ee3cf767d1fcfe97b35

SHA256
8432e37fa013db9758443d8848735a956ccd945a38311890ba71c127a4d98535

SHA512
b50525d128dcebd84d8717a3739060ec55ce461c92733000401ad0b8c81110450cab16b453b510ee4bb7f5c3cba26f5d82cdab347ae9852f1257b8020700e3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1255013681\backup.exe

Filesize
72KB

MD5
fd4c35a01ed4515ada2932a07189a841

SHA1
cebf3a687f160d76fc63f7a1d5b73e506dfc30e2

SHA256
55687ca588326bae3a3cebd849fb11483e34bee3065f732be3a275e79b319164

SHA512
61292a73ec4062e27d5ce938d464eddb0cfd5f77478126a440fef2484e4cf9770186fe101b8aab7caedd24a1ca4ae29e102b1a8169af89a7b2590fa7c03246f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1255013681\backup.exe

Filesize
72KB

MD5
fd4c35a01ed4515ada2932a07189a841

SHA1
cebf3a687f160d76fc63f7a1d5b73e506dfc30e2

SHA256
55687ca588326bae3a3cebd849fb11483e34bee3065f732be3a275e79b319164

SHA512
61292a73ec4062e27d5ce938d464eddb0cfd5f77478126a440fef2484e4cf9770186fe101b8aab7caedd24a1ca4ae29e102b1a8169af89a7b2590fa7c03246f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
bcd26dca6df784edee52832a67ad1d8b

SHA1
92e5d150455f5feed2cc4d7d605ceb76fb0f4639

SHA256
1751046b25f87b2d762ad8b17facfc77dd9676cb9a94f340d9b928eed9cdcb70

SHA512
eebe4bf521ff168d9de2e5800e1f7372b28fe039bb8b923075fd7fa315274ffae5edb465151d1ed8b18c3cf8c75ac7dbda70355b5786e8893b6083e10ffa2995

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d67c777fd48e477e4bc33963b6296574

SHA1
90f08c45717048179cf91e0ad5114758f571601f

SHA256
f0ea119c2501241ca5edb2cdfc29828610c7ceee4731cc88cab25339c70404f7

SHA512
5602c14eb821ec8e2b7893c331351b401b308d0947125450d89351cb799cdc577f01d9198436e413946fef7fbcb5e2328405c36218bb190888dde1de2abb53fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4e0ae1bb9c92eb5db1579aea66d3f4cc

SHA1
7eff360bef902adc0e89c59501be3f5c0b5053f4

SHA256
35afaff83a0ff09088fdf28d5ecddae533b2bd8ea612f01f9030e0489894aab2

SHA512
d37446ff8558bfef40712834360bb2ea8a26a9b3c42dc993f2fdbae4c2e911f9e3f69ff7adf7da319a3f9132f5cd2ec7c904a9e18b642bf0dc24477473555597

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9d63f82c062ecf84df0d7eda86c6d53d

SHA1
17dbadb2f857c9c92c510825753e8862cb77ed0e

SHA256
e0ef9b54cb1e23ac67d6ebc48afa6288da220d00186baa6635a533e370928fa7

SHA512
af7ea1f0df6eabce0140c7d8183d3bad5567f4968a9d99a32fd7f65f1750914210fd633ea4980fc44512f5b0083798457764b8c44c36bbe5a064666ba2233962

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9d63f82c062ecf84df0d7eda86c6d53d

SHA1
17dbadb2f857c9c92c510825753e8862cb77ed0e

SHA256
e0ef9b54cb1e23ac67d6ebc48afa6288da220d00186baa6635a533e370928fa7

SHA512
af7ea1f0df6eabce0140c7d8183d3bad5567f4968a9d99a32fd7f65f1750914210fd633ea4980fc44512f5b0083798457764b8c44c36bbe5a064666ba2233962

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ffb9382597edac0f0bc08be96a8a89dd

SHA1
f15596a1e96fba2ae7927423ed569c6bbde8c659

SHA256
1f0f42f7808c8a826e15a9855c3aa68cc67648c02015a129212f885120acd31d

SHA512
1685a0df22d5304442c868b858799d54bd17395fc7d802e4124df3ebd2a2e6856ee3576997cdfbfeaa72ff28bd7b9c3d1468ba89fa010758d5d2c8ec41981145

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ffb9382597edac0f0bc08be96a8a89dd

SHA1
f15596a1e96fba2ae7927423ed569c6bbde8c659

SHA256
1f0f42f7808c8a826e15a9855c3aa68cc67648c02015a129212f885120acd31d

SHA512
1685a0df22d5304442c868b858799d54bd17395fc7d802e4124df3ebd2a2e6856ee3576997cdfbfeaa72ff28bd7b9c3d1468ba89fa010758d5d2c8ec41981145

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
579b0981636eeeaaa5f9dcdd34058ed3

SHA1
6077b304861b0a6a813f4a12239d809af5d68e5d

SHA256
8239bb4cf4bf6aaf204a5ef7f32aa996cfafb101195a41474dcd61cdba0f5c2d

SHA512
c928a931485e1ad79fcb2eedcf941e255374c2002f352fd4136b17cd54f523558dd8bb2643a55b72a3854e5b57d12eabc127abc2ffbca558fd30532357f498ef

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
579b0981636eeeaaa5f9dcdd34058ed3

SHA1
6077b304861b0a6a813f4a12239d809af5d68e5d

SHA256
8239bb4cf4bf6aaf204a5ef7f32aa996cfafb101195a41474dcd61cdba0f5c2d

SHA512
c928a931485e1ad79fcb2eedcf941e255374c2002f352fd4136b17cd54f523558dd8bb2643a55b72a3854e5b57d12eabc127abc2ffbca558fd30532357f498ef

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
0468ceb976c9d2f01a94d127a3f7a179

SHA1
ced3048eaa475de81008a87cd98784271fdf1cd1

SHA256
95974ea71dec01712c29b750ba5fd02e2cfd4ce0dbbb6ecd5780b5d3b879751b

SHA512
754d86f33ee421d4d4da61834817ed0821eef6aabd922b39d26ee2f63e143b2d17965cbeaa933151dcfd618806c6c303f0808cba06bfbc6664a10217e3e76969

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
0468ceb976c9d2f01a94d127a3f7a179

SHA1
ced3048eaa475de81008a87cd98784271fdf1cd1

SHA256
95974ea71dec01712c29b750ba5fd02e2cfd4ce0dbbb6ecd5780b5d3b879751b

SHA512
754d86f33ee421d4d4da61834817ed0821eef6aabd922b39d26ee2f63e143b2d17965cbeaa933151dcfd618806c6c303f0808cba06bfbc6664a10217e3e76969

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
3088498402b2c021f1c021b53b1f058f

SHA1
0619b66f3935c2e50094d93405d31d5f09530221

SHA256
e42a4b00f4a43d02e8fc3ebebb3f9f90ad02a2c492d817e672a3d5698629e62b

SHA512
d8c3a3137ee36c4898b74d09d24148356bac3134dabc24a599872d4b4193e537152e0be06f8d7e72b457ca68e04c31dec52660a18cf192ce47e2081ff951c79d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
3088498402b2c021f1c021b53b1f058f

SHA1
0619b66f3935c2e50094d93405d31d5f09530221

SHA256
e42a4b00f4a43d02e8fc3ebebb3f9f90ad02a2c492d817e672a3d5698629e62b

SHA512
d8c3a3137ee36c4898b74d09d24148356bac3134dabc24a599872d4b4193e537152e0be06f8d7e72b457ca68e04c31dec52660a18cf192ce47e2081ff951c79d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0468ceb976c9d2f01a94d127a3f7a179

SHA1
ced3048eaa475de81008a87cd98784271fdf1cd1

SHA256
95974ea71dec01712c29b750ba5fd02e2cfd4ce0dbbb6ecd5780b5d3b879751b

SHA512
754d86f33ee421d4d4da61834817ed0821eef6aabd922b39d26ee2f63e143b2d17965cbeaa933151dcfd618806c6c303f0808cba06bfbc6664a10217e3e76969

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
0468ceb976c9d2f01a94d127a3f7a179

SHA1
ced3048eaa475de81008a87cd98784271fdf1cd1

SHA256
95974ea71dec01712c29b750ba5fd02e2cfd4ce0dbbb6ecd5780b5d3b879751b

SHA512
754d86f33ee421d4d4da61834817ed0821eef6aabd922b39d26ee2f63e143b2d17965cbeaa933151dcfd618806c6c303f0808cba06bfbc6664a10217e3e76969

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe

Filesize
72KB

MD5
3088498402b2c021f1c021b53b1f058f

SHA1
0619b66f3935c2e50094d93405d31d5f09530221

SHA256
e42a4b00f4a43d02e8fc3ebebb3f9f90ad02a2c492d817e672a3d5698629e62b

SHA512
d8c3a3137ee36c4898b74d09d24148356bac3134dabc24a599872d4b4193e537152e0be06f8d7e72b457ca68e04c31dec52660a18cf192ce47e2081ff951c79d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\System Restore.exe

Filesize
72KB

MD5
3088498402b2c021f1c021b53b1f058f

SHA1
0619b66f3935c2e50094d93405d31d5f09530221

SHA256
e42a4b00f4a43d02e8fc3ebebb3f9f90ad02a2c492d817e672a3d5698629e62b

SHA512
d8c3a3137ee36c4898b74d09d24148356bac3134dabc24a599872d4b4193e537152e0be06f8d7e72b457ca68e04c31dec52660a18cf192ce47e2081ff951c79d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
ec51c5c729501c646423525d7b5ef017

SHA1
baf68f7114e467440a98b9401d74cc32cf324757

SHA256
d0e431d6ed3b048e095885b412970993a3fb8e92000d85a8624e197cc47fd649

SHA512
33d952fe632d14b5cc521997b84209def8c06cfeb25354d3b6ef8eb9de42024286534d75a0774a41d315b95a4e27be20ec775729b27d16332dc75d35151f769b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
ec51c5c729501c646423525d7b5ef017

SHA1
baf68f7114e467440a98b9401d74cc32cf324757

SHA256
d0e431d6ed3b048e095885b412970993a3fb8e92000d85a8624e197cc47fd649

SHA512
33d952fe632d14b5cc521997b84209def8c06cfeb25354d3b6ef8eb9de42024286534d75a0774a41d315b95a4e27be20ec775729b27d16332dc75d35151f769b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
ec51c5c729501c646423525d7b5ef017

SHA1
baf68f7114e467440a98b9401d74cc32cf324757

SHA256
d0e431d6ed3b048e095885b412970993a3fb8e92000d85a8624e197cc47fd649

SHA512
33d952fe632d14b5cc521997b84209def8c06cfeb25354d3b6ef8eb9de42024286534d75a0774a41d315b95a4e27be20ec775729b27d16332dc75d35151f769b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
ec51c5c729501c646423525d7b5ef017

SHA1
baf68f7114e467440a98b9401d74cc32cf324757

SHA256
d0e431d6ed3b048e095885b412970993a3fb8e92000d85a8624e197cc47fd649

SHA512
33d952fe632d14b5cc521997b84209def8c06cfeb25354d3b6ef8eb9de42024286534d75a0774a41d315b95a4e27be20ec775729b27d16332dc75d35151f769b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\data.exe

Filesize
72KB

MD5
ec51c5c729501c646423525d7b5ef017

SHA1
baf68f7114e467440a98b9401d74cc32cf324757

SHA256
d0e431d6ed3b048e095885b412970993a3fb8e92000d85a8624e197cc47fd649

SHA512
33d952fe632d14b5cc521997b84209def8c06cfeb25354d3b6ef8eb9de42024286534d75a0774a41d315b95a4e27be20ec775729b27d16332dc75d35151f769b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0139366372e6ca8ebe9dc3ca269e22d2

SHA1
10f271dc969cf4ceb52194916fb061a308fdc164

SHA256
e18671fa787702eeb17d3cb5a3b051f2f0b1e0c8eebb2f1f5c958570702b4844

SHA512
0a00f06cf8b96ca006af7874fdd13367f895d81e8c8dc46f9d5ab0383758ebcf45934e1a7862f5ef97e954bd7164f0e839e5b7a840210b7dd037ef89d35cf042

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
b1c71d518f76ae1e1a9787cda9fc85f6

SHA1
3662acce1a4e5f4b0b0c2ee3cf767d1fcfe97b35

SHA256
8432e37fa013db9758443d8848735a956ccd945a38311890ba71c127a4d98535

SHA512
b50525d128dcebd84d8717a3739060ec55ce461c92733000401ad0b8c81110450cab16b453b510ee4bb7f5c3cba26f5d82cdab347ae9852f1257b8020700e3f9

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
b1c71d518f76ae1e1a9787cda9fc85f6

SHA1
3662acce1a4e5f4b0b0c2ee3cf767d1fcfe97b35

SHA256
8432e37fa013db9758443d8848735a956ccd945a38311890ba71c127a4d98535

SHA512
b50525d128dcebd84d8717a3739060ec55ce461c92733000401ad0b8c81110450cab16b453b510ee4bb7f5c3cba26f5d82cdab347ae9852f1257b8020700e3f9

Download Submit
\Users\Admin\AppData\Local\Temp\1255013681\backup.exe

Filesize
72KB

MD5
fd4c35a01ed4515ada2932a07189a841

SHA1
cebf3a687f160d76fc63f7a1d5b73e506dfc30e2

SHA256
55687ca588326bae3a3cebd849fb11483e34bee3065f732be3a275e79b319164

SHA512
61292a73ec4062e27d5ce938d464eddb0cfd5f77478126a440fef2484e4cf9770186fe101b8aab7caedd24a1ca4ae29e102b1a8169af89a7b2590fa7c03246f0

Download Submit
\Users\Admin\AppData\Local\Temp\1255013681\backup.exe

Filesize
72KB

MD5
fd4c35a01ed4515ada2932a07189a841

SHA1
cebf3a687f160d76fc63f7a1d5b73e506dfc30e2

SHA256
55687ca588326bae3a3cebd849fb11483e34bee3065f732be3a275e79b319164

SHA512
61292a73ec4062e27d5ce938d464eddb0cfd5f77478126a440fef2484e4cf9770186fe101b8aab7caedd24a1ca4ae29e102b1a8169af89a7b2590fa7c03246f0

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
bcd26dca6df784edee52832a67ad1d8b

SHA1
92e5d150455f5feed2cc4d7d605ceb76fb0f4639

SHA256
1751046b25f87b2d762ad8b17facfc77dd9676cb9a94f340d9b928eed9cdcb70

SHA512
eebe4bf521ff168d9de2e5800e1f7372b28fe039bb8b923075fd7fa315274ffae5edb465151d1ed8b18c3cf8c75ac7dbda70355b5786e8893b6083e10ffa2995

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
bcd26dca6df784edee52832a67ad1d8b

SHA1
92e5d150455f5feed2cc4d7d605ceb76fb0f4639

SHA256
1751046b25f87b2d762ad8b17facfc77dd9676cb9a94f340d9b928eed9cdcb70

SHA512
eebe4bf521ff168d9de2e5800e1f7372b28fe039bb8b923075fd7fa315274ffae5edb465151d1ed8b18c3cf8c75ac7dbda70355b5786e8893b6083e10ffa2995

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d67c777fd48e477e4bc33963b6296574

SHA1
90f08c45717048179cf91e0ad5114758f571601f

SHA256
f0ea119c2501241ca5edb2cdfc29828610c7ceee4731cc88cab25339c70404f7

SHA512
5602c14eb821ec8e2b7893c331351b401b308d0947125450d89351cb799cdc577f01d9198436e413946fef7fbcb5e2328405c36218bb190888dde1de2abb53fe

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
d67c777fd48e477e4bc33963b6296574

SHA1
90f08c45717048179cf91e0ad5114758f571601f

SHA256
f0ea119c2501241ca5edb2cdfc29828610c7ceee4731cc88cab25339c70404f7

SHA512
5602c14eb821ec8e2b7893c331351b401b308d0947125450d89351cb799cdc577f01d9198436e413946fef7fbcb5e2328405c36218bb190888dde1de2abb53fe

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
1f1614d2ee16c1ed0533e1f713445189

SHA1
b3ae587c5db8093b58132b0b0e393ea7fc6d4d2b

SHA256
2bbe74cb71092da94e80674ad37bde44a8c2c9cade64b40a34eb7c31e944edcc

SHA512
cfb488bd63c00f409ed57834cd6ab936ef4669c121670aac780a87bc86dabdb950ba943be37723dd8c23821e0fdeb0e77c263c708755ae63daf19b064736d0de

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4e0ae1bb9c92eb5db1579aea66d3f4cc

SHA1
7eff360bef902adc0e89c59501be3f5c0b5053f4

SHA256
35afaff83a0ff09088fdf28d5ecddae533b2bd8ea612f01f9030e0489894aab2

SHA512
d37446ff8558bfef40712834360bb2ea8a26a9b3c42dc993f2fdbae4c2e911f9e3f69ff7adf7da319a3f9132f5cd2ec7c904a9e18b642bf0dc24477473555597

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4e0ae1bb9c92eb5db1579aea66d3f4cc

SHA1
7eff360bef902adc0e89c59501be3f5c0b5053f4

SHA256
35afaff83a0ff09088fdf28d5ecddae533b2bd8ea612f01f9030e0489894aab2

SHA512
d37446ff8558bfef40712834360bb2ea8a26a9b3c42dc993f2fdbae4c2e911f9e3f69ff7adf7da319a3f9132f5cd2ec7c904a9e18b642bf0dc24477473555597

Download Submit
memory/1648-117-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1648-162-0x00000000746D1000-0x00000000746D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads