12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79

Analysis

max time kernel
191s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
Size

72KB
MD5

02989c2b62634fd12a3f86f487aa65b5
SHA1

4855c1922ce631c9ae0036e65bb997e6f784dcd5
SHA256

12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79
SHA512

24be599647848cd78ef2d6276cbac2dacdab7f2b3ad69acd741e99d7df983505b25e9ba717e6b4ab2c4f898eead55de860d5ac0b431c235e9004e80c37bf3697
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2x:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPF

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1940	backup.exe
1640	backup.exe
964	backup.exe
584	update.exe
572	backup.exe
1308	System Restore.exe
1548	System Restore.exe
1444	backup.exe
1100	backup.exe
2004	backup.exe
1620	update.exe
1148	backup.exe
788	backup.exe
816	backup.exe
1908	System Restore.exe
1532	backup.exe
1772	backup.exe
1656	backup.exe
976	System Restore.exe
1852	backup.exe
780	backup.exe
320	backup.exe
276	backup.exe
1292	backup.exe
2012	backup.exe
1444	backup.exe
1260	backup.exe
1112	backup.exe
2004	backup.exe
900	backup.exe
1004	backup.exe
1252	backup.exe
1712	backup.exe
692	backup.exe
1596	backup.exe
324	backup.exe
2044	backup.exe
1508	backup.exe
1016	backup.exe
536	backup.exe
1540	backup.exe
1532	update.exe
1976	backup.exe
1920	data.exe
1640	backup.exe
1076	backup.exe
960	backup.exe
320	backup.exe
1028	backup.exe
1756	backup.exe
1468	backup.exe
844	backup.exe
1264	backup.exe
1844	backup.exe
1912	backup.exe
1848	backup.exe
1280	backup.exe
2008	backup.exe
324	backup.exe
2044	backup.exe
1824	backup.exe
1692	System Restore.exe
984	backup.exe
1656	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
572	backup.exe
572	backup.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1548	System Restore.exe
1548	System Restore.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
572	backup.exe
584	update.exe
1620	update.exe
584	update.exe
1620	update.exe
1620	update.exe
584	update.exe
1620	update.exe
1620	update.exe
1148	backup.exe
1148	backup.exe
1148	backup.exe
1148	backup.exe
1148	backup.exe
788	backup.exe
788	backup.exe
788	backup.exe
1620	update.exe
1620	update.exe
816	backup.exe
816	backup.exe
816	backup.exe
816	backup.exe
816	backup.exe
1908	System Restore.exe
1908	System Restore.exe
1908	System Restore.exe
1908	System Restore.exe
1908	System Restore.exe
1532	backup.exe
1532	backup.exe
1532	backup.exe
1908	System Restore.exe
1908	System Restore.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
1772	backup.exe
1656	backup.exe
1656	backup.exe
1656	backup.exe
1772	backup.exe
1772	backup.exe
976	System Restore.exe
976	System Restore.exe
976	System Restore.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
1940	backup.exe
1640	backup.exe
964	backup.exe
572	backup.exe
1308	System Restore.exe
1548	System Restore.exe
1444	backup.exe
1100	backup.exe
2004	backup.exe
1620	update.exe
584	update.exe
1148	backup.exe
788	backup.exe
816	backup.exe
1908	System Restore.exe
1532	backup.exe
1772	backup.exe
1656	backup.exe
976	System Restore.exe
1852	backup.exe
780	backup.exe
320	backup.exe
276	backup.exe
1292	backup.exe
2012	backup.exe
1444	backup.exe
1260	backup.exe
1112	backup.exe
2004	backup.exe
900	backup.exe
1004	backup.exe
1252	backup.exe
1712	backup.exe
692	backup.exe
324	backup.exe
1596	backup.exe
1508	backup.exe
2044	backup.exe
1016	backup.exe
536	backup.exe
1540	backup.exe
1532	update.exe
1976	backup.exe
1640	backup.exe
1920	data.exe
1076	backup.exe
960	backup.exe
320	backup.exe
1028	backup.exe
1756	backup.exe
1468	backup.exe
844	backup.exe
1264	backup.exe
1844	backup.exe
1912	backup.exe
1848	backup.exe
1280	backup.exe
324	backup.exe
2008	backup.exe
2044	backup.exe
1824	backup.exe
1692	System Restore.exe
984	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1940	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	27
PID 1992 wrote to memory of 1940	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	27
PID 1992 wrote to memory of 1940	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	27
PID 1992 wrote to memory of 1940	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	27
PID 1992 wrote to memory of 1640	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	28
PID 1992 wrote to memory of 1640	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	28
PID 1992 wrote to memory of 1640	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	28
PID 1992 wrote to memory of 1640	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	28
PID 1992 wrote to memory of 964	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	29
PID 1992 wrote to memory of 964	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	29
PID 1992 wrote to memory of 964	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	29
PID 1992 wrote to memory of 964	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	29
PID 1992 wrote to memory of 584	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	30
PID 1992 wrote to memory of 584	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	30
PID 1992 wrote to memory of 584	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	30
PID 1992 wrote to memory of 584	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	30
PID 1992 wrote to memory of 584	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	30
PID 1992 wrote to memory of 584	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	30
PID 1992 wrote to memory of 584	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	30
PID 1940 wrote to memory of 572	1940	backup.exe	31
PID 1940 wrote to memory of 572	1940	backup.exe	31
PID 1940 wrote to memory of 572	1940	backup.exe	31
PID 1940 wrote to memory of 572	1940	backup.exe	31
PID 1992 wrote to memory of 1308	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	32
PID 1992 wrote to memory of 1308	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	32
PID 1992 wrote to memory of 1308	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	32
PID 1992 wrote to memory of 1308	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	32
PID 572 wrote to memory of 1548	572	backup.exe	33
PID 572 wrote to memory of 1548	572	backup.exe	33
PID 572 wrote to memory of 1548	572	backup.exe	33
PID 572 wrote to memory of 1548	572	backup.exe	33
PID 1992 wrote to memory of 1444	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	34
PID 1992 wrote to memory of 1444	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	34
PID 1992 wrote to memory of 1444	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	34
PID 1992 wrote to memory of 1444	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	34
PID 1548 wrote to memory of 1100	1548	System Restore.exe	35
PID 1548 wrote to memory of 1100	1548	System Restore.exe	35
PID 1548 wrote to memory of 1100	1548	System Restore.exe	35
PID 1548 wrote to memory of 1100	1548	System Restore.exe	35
PID 1992 wrote to memory of 2004	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	36
PID 1992 wrote to memory of 2004	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	36
PID 1992 wrote to memory of 2004	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	36
PID 1992 wrote to memory of 2004	1992	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe	36
PID 572 wrote to memory of 1620	572	backup.exe	37
PID 572 wrote to memory of 1620	572	backup.exe	37
PID 572 wrote to memory of 1620	572	backup.exe	37
PID 572 wrote to memory of 1620	572	backup.exe	37
PID 572 wrote to memory of 1620	572	backup.exe	37
PID 572 wrote to memory of 1620	572	backup.exe	37
PID 572 wrote to memory of 1620	572	backup.exe	37
PID 1620 wrote to memory of 1148	1620	update.exe	38
PID 1620 wrote to memory of 1148	1620	update.exe	38
PID 1620 wrote to memory of 1148	1620	update.exe	38
PID 1620 wrote to memory of 1148	1620	update.exe	38
PID 1620 wrote to memory of 1148	1620	update.exe	38
PID 1620 wrote to memory of 1148	1620	update.exe	38
PID 1620 wrote to memory of 1148	1620	update.exe	38
PID 1148 wrote to memory of 788	1148	backup.exe	39
PID 1148 wrote to memory of 788	1148	backup.exe	39
PID 1148 wrote to memory of 788	1148	backup.exe	39
PID 1148 wrote to memory of 788	1148	backup.exe	39
PID 1148 wrote to memory of 788	1148	backup.exe	39
PID 1148 wrote to memory of 788	1148	backup.exe	39
PID 1148 wrote to memory of 788	1148	backup.exe	39

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe
"C:\Users\Admin\AppData\Local\Temp\12387ea3bdcb2ff7a732d9cc806121ce65f0054b2b5462a9f86f061938f14c79.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992
- C:\Users\Admin\AppData\Local\Temp\946924503\backup.exe
  C:\Users\Admin\AppData\Local\Temp\946924503\backup.exe C:\Users\Admin\AppData\Local\Temp\946924503\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\PerfLogs\System Restore.exe
      "C:\PerfLogs\System Restore.exe" C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
  - - C:\Program Files\update.exe
      "C:\Program Files\update.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:788
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:816
      - C:\Program Files\Common Files\Microsoft Shared\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        System policy modification
        
        PID:1848
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:388
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:876
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1076
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1896
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1280
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:388
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:704
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1256
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1976
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        System policy modification
        
        PID:1812
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1064
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1416
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1544
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1960
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1684
        
        C:\Program Files\Common Files\System\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\es-ES\data.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1112
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:916
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1656
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:960
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:640
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1920
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1052
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1076
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1696
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1512
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1016
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1028
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:676
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1696
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1460
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1888
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:692
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1596
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1508
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1848
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1432
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1532
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1444
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1080
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        System policy modification
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1332
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:676
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        System policy modification
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        System policy modification
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1428
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2044
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2004
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1868
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        System policy modification
        
        PID:1260
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1168
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Disables RegEdit via registry modification
        
        PID:780
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1100
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1916
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1480
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:940
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1652
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1396
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1424
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1408
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1820
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:276
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1420
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2008
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1700
    - - C:\Program Files (x86)\Microsoft Analysis Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1768
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:816
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:324
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1760
      - C:\Users\Admin\Contacts\System Restore.exe
        
        "C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\
        6⤵
        
        PID:1916
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1712
      - C:\Users\Admin\Documents\data.exe
        
        C:\Users\Admin\Documents\data.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:636
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1912
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1736
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:968
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1260
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1668
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1516
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1224
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:844
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:780
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1264
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1912
      - C:\Users\Public\Music\update.exe
        
        C:\Users\Public\Music\update.exe C:\Users\Public\Music\
        6⤵
        
        PID:1712
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Windows directory
      System policy modification
      PID:1764
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1260
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1680
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:1956
    - - C:\Windows\assembly\update.exe
        
        C:\Windows\assembly\update.exe C:\Windows\assembly\
        5⤵
        
        PID:560
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:964
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:584
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d10f1aded86b19c771f268e8a7e24a11

SHA1
3c45d6e261b2910a36c983f8a7477b2616c2b8d6

SHA256
853f02cb4a8a394dc22208ae10a96a5824af39442be03035c9ebb7792eba365a

SHA512
fb19c1c3cdeda3ca447fe46ea2d96f21607709765a6b0e7876a16b2ac04d649f5d4b4f499f3a49ccdc0a613a891dc0b7ecd25dd63f4bdfa2ebee18ad25f3b1f1

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
72KB

MD5
a1a2f2451e844e7e487c76df327eb7a2

SHA1
cb1e5ea546b76e8d90cb62c37fe570ef14c7666f

SHA256
f1d90a2b330b6bb98449d494d549e4add8f81a20816ecc22a5408e18dfad6960

SHA512
13d6d268a6e9c26d800906d67bbe60ea45e7ffc4559737f78ac77bafba7353dacf11d568e4050ce4cd2e750aaa3180ba340d4397a0405bf341614cf8a8e59abc

Download Submit
C:\PerfLogs\System Restore.exe

Filesize
72KB

MD5
a1a2f2451e844e7e487c76df327eb7a2

SHA1
cb1e5ea546b76e8d90cb62c37fe570ef14c7666f

SHA256
f1d90a2b330b6bb98449d494d549e4add8f81a20816ecc22a5408e18dfad6960

SHA512
13d6d268a6e9c26d800906d67bbe60ea45e7ffc4559737f78ac77bafba7353dacf11d568e4050ce4cd2e750aaa3180ba340d4397a0405bf341614cf8a8e59abc

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c7dd920312562bf3299c29258f67d74f

SHA1
c0346209989a1f05565c9ce0d674f394f8f7b0f0

SHA256
6ed4c40366a68e34c6a9c0cedbe3b2f2dd46a110454eb5922d5f64cdf2a3b5af

SHA512
b5d1f75c7dea636fab69b5df31f414319333ef8423ed0d9a9ea860ccd6212924511e2529ba85f46b9c6ad35ba5026140b9bd6c575b3cc871fa30bb4c3b0c5eff

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c7dd920312562bf3299c29258f67d74f

SHA1
c0346209989a1f05565c9ce0d674f394f8f7b0f0

SHA256
6ed4c40366a68e34c6a9c0cedbe3b2f2dd46a110454eb5922d5f64cdf2a3b5af

SHA512
b5d1f75c7dea636fab69b5df31f414319333ef8423ed0d9a9ea860ccd6212924511e2529ba85f46b9c6ad35ba5026140b9bd6c575b3cc871fa30bb4c3b0c5eff

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fb939a6feac0fbf7b9d0700dffa3caee

SHA1
83367fc4538333aa511f8cfcba958cf9081f6d09

SHA256
2804cf9680ea652fdc071d9f7c9dff46db379ffc8bf04c7ea00cb2bd40ee64ed

SHA512
7d2628055e88346ea9188c2e4f30efd26e48bf856098fc7118399c093a187ad3e3f37cd1f1a9b1b7223f9c6648cdccc2c1e6101f1dad06d8b100ad8d995be41c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fb939a6feac0fbf7b9d0700dffa3caee

SHA1
83367fc4538333aa511f8cfcba958cf9081f6d09

SHA256
2804cf9680ea652fdc071d9f7c9dff46db379ffc8bf04c7ea00cb2bd40ee64ed

SHA512
7d2628055e88346ea9188c2e4f30efd26e48bf856098fc7118399c093a187ad3e3f37cd1f1a9b1b7223f9c6648cdccc2c1e6101f1dad06d8b100ad8d995be41c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
79e097cab4a6eca3cac74fe04eca004d

SHA1
b52bbc102a5a6ad4cd564b94eb014093f32205aa

SHA256
1e55e7db0ecb1a348febf4293efc8c1164dccd17bbc56d0b9e2ab72de4d14f18

SHA512
bcb00e7b44a2cd1141486c7e869a08f8219c94393a73073a2e9a99f6ef44790267458585e551560e94c35d5e86247ee1ae242f6ddd4507063060c3ec0fa4651e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e70644d4630f265ef1b85f32d7f43eb0

SHA1
b447b44295296188d553e3af9b47a3a4086164c7

SHA256
4324376e3519f1ee401bffc1135d103d57a880fb61c2e3ef463be3698814d254

SHA512
b4c15f6f1fd5ac15fb5c079cc081d7cfa9691da7fc25b5557cf294ead73b30c292af72458f1d99d84f3b5155815bdc99622a9f015eb51cec2c13daf0fd6e3296

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e70644d4630f265ef1b85f32d7f43eb0

SHA1
b447b44295296188d553e3af9b47a3a4086164c7

SHA256
4324376e3519f1ee401bffc1135d103d57a880fb61c2e3ef463be3698814d254

SHA512
b4c15f6f1fd5ac15fb5c079cc081d7cfa9691da7fc25b5557cf294ead73b30c292af72458f1d99d84f3b5155815bdc99622a9f015eb51cec2c13daf0fd6e3296

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
18082e71fbec2d6a40bb806246abd4d2

SHA1
f5c0d00eb1b492d00031823d22159c8fcb0ffbcc

SHA256
734d70d44501b3f6c2b319a4514cd7a31d99fb3f93fa0df8b16c9eb9b11e1035

SHA512
784e09cd9b4e96c3c6711bd05b32bc3fdcf78fd693fd7ea86a68eddf620090ff2755a3aa040ec5978568d353137bb81166ffcc1c01f61ba7013d056991ea4366

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
18082e71fbec2d6a40bb806246abd4d2

SHA1
f5c0d00eb1b492d00031823d22159c8fcb0ffbcc

SHA256
734d70d44501b3f6c2b319a4514cd7a31d99fb3f93fa0df8b16c9eb9b11e1035

SHA512
784e09cd9b4e96c3c6711bd05b32bc3fdcf78fd693fd7ea86a68eddf620090ff2755a3aa040ec5978568d353137bb81166ffcc1c01f61ba7013d056991ea4366

Download Submit
C:\Users\Admin\AppData\Local\Temp\946924503\backup.exe

Filesize
72KB

MD5
14cd0098c515a20a2309ee8b22307259

SHA1
5a9362d6adfca05b697ceb85d518348e3255a76d

SHA256
19882acfb1196d51a58a170a420fb4f64177ee913b14a482417cc4bafe51c2f3

SHA512
aa9b31c2f5e0188e1ec5cb33f2b208a04628267d741e793955d2196ff71f926649285018eed1e45bb9977fd8071faf9b2b945de8170eac874e2e17cb49ca1972

Download Submit
C:\Users\Admin\AppData\Local\Temp\946924503\backup.exe

Filesize
72KB

MD5
14cd0098c515a20a2309ee8b22307259

SHA1
5a9362d6adfca05b697ceb85d518348e3255a76d

SHA256
19882acfb1196d51a58a170a420fb4f64177ee913b14a482417cc4bafe51c2f3

SHA512
aa9b31c2f5e0188e1ec5cb33f2b208a04628267d741e793955d2196ff71f926649285018eed1e45bb9977fd8071faf9b2b945de8170eac874e2e17cb49ca1972

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
2fb8a3ed2f3f59d3f8b11009643c2dc5

SHA1
10ae631e6c701cc3d1ec6e17789031cee2109e72

SHA256
d52ad4e7f4f1dcbd6d2194790164617414b65ed317a121a01f8ba09f23578df7

SHA512
d4552f46ed4d5d783f8ecd2bf99881e31dabfbcd190e6608bd0a32aaac25e1afde8428b99666ea74f59f53b47173242ed37580961facd4c3e60842f89aac5297

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
03178944e916738560b153706a381c1c

SHA1
4130c02bf36ccaae2cdcd0bd8e54a5278c2f2e7e

SHA256
7684b85f08066d4f2d446be5ee233f89628ec07bf45b851162cedbb825204a52

SHA512
e8cb4fee9b05d5d54aad0be57bad123d22cc1a09eb638b14c665945c5dc6a8b52b0c50b547ca2b983bb7139d812297d6c2b56423631c7f975b9f3ee6afbf6774

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
14cd0098c515a20a2309ee8b22307259

SHA1
5a9362d6adfca05b697ceb85d518348e3255a76d

SHA256
19882acfb1196d51a58a170a420fb4f64177ee913b14a482417cc4bafe51c2f3

SHA512
aa9b31c2f5e0188e1ec5cb33f2b208a04628267d741e793955d2196ff71f926649285018eed1e45bb9977fd8071faf9b2b945de8170eac874e2e17cb49ca1972

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
040eae1595bb565e080fcb8af74a0553

SHA1
b572a0a53a29b6763c55d2e56cec599555e62a42

SHA256
5b0c39bda78c88c7dfa68cf39cb1402cda7139dd0368a0aeb9ab2303620dfeed

SHA512
d7ba23b1e1e97ce2f9dfceacd41fe123eb872024210c643640f31c6b975c68e55bed2a0c0750b5f1305c3abd981205028a6daef9a0b6741bb1723e0c7cbf5680

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8ab7a6cd5794feed55aa9513835837fb

SHA1
159a51641ae1a39f53d21814ee3f5bebfd76be23

SHA256
491368d62bc904ddd41fa26d76eb6c98eccf80779ea1f907d82713e1e985490b

SHA512
04b5a527955e6999a2452c60fe4f23d8facdf077ac10c0bf7867c54eb8f3a8e4c69fc56d4f198843fd86c701abc2ecb26b028a9a6bc418314136abd65b31e124

Download Submit
C:\backup.exe

Filesize
72KB

MD5
8ab7a6cd5794feed55aa9513835837fb

SHA1
159a51641ae1a39f53d21814ee3f5bebfd76be23

SHA256
491368d62bc904ddd41fa26d76eb6c98eccf80779ea1f907d82713e1e985490b

SHA512
04b5a527955e6999a2452c60fe4f23d8facdf077ac10c0bf7867c54eb8f3a8e4c69fc56d4f198843fd86c701abc2ecb26b028a9a6bc418314136abd65b31e124

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d10f1aded86b19c771f268e8a7e24a11

SHA1
3c45d6e261b2910a36c983f8a7477b2616c2b8d6

SHA256
853f02cb4a8a394dc22208ae10a96a5824af39442be03035c9ebb7792eba365a

SHA512
fb19c1c3cdeda3ca447fe46ea2d96f21607709765a6b0e7876a16b2ac04d649f5d4b4f499f3a49ccdc0a613a891dc0b7ecd25dd63f4bdfa2ebee18ad25f3b1f1

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
d10f1aded86b19c771f268e8a7e24a11

SHA1
3c45d6e261b2910a36c983f8a7477b2616c2b8d6

SHA256
853f02cb4a8a394dc22208ae10a96a5824af39442be03035c9ebb7792eba365a

SHA512
fb19c1c3cdeda3ca447fe46ea2d96f21607709765a6b0e7876a16b2ac04d649f5d4b4f499f3a49ccdc0a613a891dc0b7ecd25dd63f4bdfa2ebee18ad25f3b1f1

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
a1a2f2451e844e7e487c76df327eb7a2

SHA1
cb1e5ea546b76e8d90cb62c37fe570ef14c7666f

SHA256
f1d90a2b330b6bb98449d494d549e4add8f81a20816ecc22a5408e18dfad6960

SHA512
13d6d268a6e9c26d800906d67bbe60ea45e7ffc4559737f78ac77bafba7353dacf11d568e4050ce4cd2e750aaa3180ba340d4397a0405bf341614cf8a8e59abc

Download Submit
\PerfLogs\System Restore.exe

Filesize
72KB

MD5
a1a2f2451e844e7e487c76df327eb7a2

SHA1
cb1e5ea546b76e8d90cb62c37fe570ef14c7666f

SHA256
f1d90a2b330b6bb98449d494d549e4add8f81a20816ecc22a5408e18dfad6960

SHA512
13d6d268a6e9c26d800906d67bbe60ea45e7ffc4559737f78ac77bafba7353dacf11d568e4050ce4cd2e750aaa3180ba340d4397a0405bf341614cf8a8e59abc

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c7dd920312562bf3299c29258f67d74f

SHA1
c0346209989a1f05565c9ce0d674f394f8f7b0f0

SHA256
6ed4c40366a68e34c6a9c0cedbe3b2f2dd46a110454eb5922d5f64cdf2a3b5af

SHA512
b5d1f75c7dea636fab69b5df31f414319333ef8423ed0d9a9ea860ccd6212924511e2529ba85f46b9c6ad35ba5026140b9bd6c575b3cc871fa30bb4c3b0c5eff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c7dd920312562bf3299c29258f67d74f

SHA1
c0346209989a1f05565c9ce0d674f394f8f7b0f0

SHA256
6ed4c40366a68e34c6a9c0cedbe3b2f2dd46a110454eb5922d5f64cdf2a3b5af

SHA512
b5d1f75c7dea636fab69b5df31f414319333ef8423ed0d9a9ea860ccd6212924511e2529ba85f46b9c6ad35ba5026140b9bd6c575b3cc871fa30bb4c3b0c5eff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c7dd920312562bf3299c29258f67d74f

SHA1
c0346209989a1f05565c9ce0d674f394f8f7b0f0

SHA256
6ed4c40366a68e34c6a9c0cedbe3b2f2dd46a110454eb5922d5f64cdf2a3b5af

SHA512
b5d1f75c7dea636fab69b5df31f414319333ef8423ed0d9a9ea860ccd6212924511e2529ba85f46b9c6ad35ba5026140b9bd6c575b3cc871fa30bb4c3b0c5eff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c7dd920312562bf3299c29258f67d74f

SHA1
c0346209989a1f05565c9ce0d674f394f8f7b0f0

SHA256
6ed4c40366a68e34c6a9c0cedbe3b2f2dd46a110454eb5922d5f64cdf2a3b5af

SHA512
b5d1f75c7dea636fab69b5df31f414319333ef8423ed0d9a9ea860ccd6212924511e2529ba85f46b9c6ad35ba5026140b9bd6c575b3cc871fa30bb4c3b0c5eff

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
c7dd920312562bf3299c29258f67d74f

SHA1
c0346209989a1f05565c9ce0d674f394f8f7b0f0

SHA256
6ed4c40366a68e34c6a9c0cedbe3b2f2dd46a110454eb5922d5f64cdf2a3b5af

SHA512
b5d1f75c7dea636fab69b5df31f414319333ef8423ed0d9a9ea860ccd6212924511e2529ba85f46b9c6ad35ba5026140b9bd6c575b3cc871fa30bb4c3b0c5eff

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fb939a6feac0fbf7b9d0700dffa3caee

SHA1
83367fc4538333aa511f8cfcba958cf9081f6d09

SHA256
2804cf9680ea652fdc071d9f7c9dff46db379ffc8bf04c7ea00cb2bd40ee64ed

SHA512
7d2628055e88346ea9188c2e4f30efd26e48bf856098fc7118399c093a187ad3e3f37cd1f1a9b1b7223f9c6648cdccc2c1e6101f1dad06d8b100ad8d995be41c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fb939a6feac0fbf7b9d0700dffa3caee

SHA1
83367fc4538333aa511f8cfcba958cf9081f6d09

SHA256
2804cf9680ea652fdc071d9f7c9dff46db379ffc8bf04c7ea00cb2bd40ee64ed

SHA512
7d2628055e88346ea9188c2e4f30efd26e48bf856098fc7118399c093a187ad3e3f37cd1f1a9b1b7223f9c6648cdccc2c1e6101f1dad06d8b100ad8d995be41c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fb939a6feac0fbf7b9d0700dffa3caee

SHA1
83367fc4538333aa511f8cfcba958cf9081f6d09

SHA256
2804cf9680ea652fdc071d9f7c9dff46db379ffc8bf04c7ea00cb2bd40ee64ed

SHA512
7d2628055e88346ea9188c2e4f30efd26e48bf856098fc7118399c093a187ad3e3f37cd1f1a9b1b7223f9c6648cdccc2c1e6101f1dad06d8b100ad8d995be41c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fb939a6feac0fbf7b9d0700dffa3caee

SHA1
83367fc4538333aa511f8cfcba958cf9081f6d09

SHA256
2804cf9680ea652fdc071d9f7c9dff46db379ffc8bf04c7ea00cb2bd40ee64ed

SHA512
7d2628055e88346ea9188c2e4f30efd26e48bf856098fc7118399c093a187ad3e3f37cd1f1a9b1b7223f9c6648cdccc2c1e6101f1dad06d8b100ad8d995be41c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fb939a6feac0fbf7b9d0700dffa3caee

SHA1
83367fc4538333aa511f8cfcba958cf9081f6d09

SHA256
2804cf9680ea652fdc071d9f7c9dff46db379ffc8bf04c7ea00cb2bd40ee64ed

SHA512
7d2628055e88346ea9188c2e4f30efd26e48bf856098fc7118399c093a187ad3e3f37cd1f1a9b1b7223f9c6648cdccc2c1e6101f1dad06d8b100ad8d995be41c

Download Submit
\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
79e097cab4a6eca3cac74fe04eca004d

SHA1
b52bbc102a5a6ad4cd564b94eb014093f32205aa

SHA256
1e55e7db0ecb1a348febf4293efc8c1164dccd17bbc56d0b9e2ab72de4d14f18

SHA512
bcb00e7b44a2cd1141486c7e869a08f8219c94393a73073a2e9a99f6ef44790267458585e551560e94c35d5e86247ee1ae242f6ddd4507063060c3ec0fa4651e

Download Submit
\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
79e097cab4a6eca3cac74fe04eca004d

SHA1
b52bbc102a5a6ad4cd564b94eb014093f32205aa

SHA256
1e55e7db0ecb1a348febf4293efc8c1164dccd17bbc56d0b9e2ab72de4d14f18

SHA512
bcb00e7b44a2cd1141486c7e869a08f8219c94393a73073a2e9a99f6ef44790267458585e551560e94c35d5e86247ee1ae242f6ddd4507063060c3ec0fa4651e

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e70644d4630f265ef1b85f32d7f43eb0

SHA1
b447b44295296188d553e3af9b47a3a4086164c7

SHA256
4324376e3519f1ee401bffc1135d103d57a880fb61c2e3ef463be3698814d254

SHA512
b4c15f6f1fd5ac15fb5c079cc081d7cfa9691da7fc25b5557cf294ead73b30c292af72458f1d99d84f3b5155815bdc99622a9f015eb51cec2c13daf0fd6e3296

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e70644d4630f265ef1b85f32d7f43eb0

SHA1
b447b44295296188d553e3af9b47a3a4086164c7

SHA256
4324376e3519f1ee401bffc1135d103d57a880fb61c2e3ef463be3698814d254

SHA512
b4c15f6f1fd5ac15fb5c079cc081d7cfa9691da7fc25b5557cf294ead73b30c292af72458f1d99d84f3b5155815bdc99622a9f015eb51cec2c13daf0fd6e3296

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e70644d4630f265ef1b85f32d7f43eb0

SHA1
b447b44295296188d553e3af9b47a3a4086164c7

SHA256
4324376e3519f1ee401bffc1135d103d57a880fb61c2e3ef463be3698814d254

SHA512
b4c15f6f1fd5ac15fb5c079cc081d7cfa9691da7fc25b5557cf294ead73b30c292af72458f1d99d84f3b5155815bdc99622a9f015eb51cec2c13daf0fd6e3296

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e70644d4630f265ef1b85f32d7f43eb0

SHA1
b447b44295296188d553e3af9b47a3a4086164c7

SHA256
4324376e3519f1ee401bffc1135d103d57a880fb61c2e3ef463be3698814d254

SHA512
b4c15f6f1fd5ac15fb5c079cc081d7cfa9691da7fc25b5557cf294ead73b30c292af72458f1d99d84f3b5155815bdc99622a9f015eb51cec2c13daf0fd6e3296

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e70644d4630f265ef1b85f32d7f43eb0

SHA1
b447b44295296188d553e3af9b47a3a4086164c7

SHA256
4324376e3519f1ee401bffc1135d103d57a880fb61c2e3ef463be3698814d254

SHA512
b4c15f6f1fd5ac15fb5c079cc081d7cfa9691da7fc25b5557cf294ead73b30c292af72458f1d99d84f3b5155815bdc99622a9f015eb51cec2c13daf0fd6e3296

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18082e71fbec2d6a40bb806246abd4d2

SHA1
f5c0d00eb1b492d00031823d22159c8fcb0ffbcc

SHA256
734d70d44501b3f6c2b319a4514cd7a31d99fb3f93fa0df8b16c9eb9b11e1035

SHA512
784e09cd9b4e96c3c6711bd05b32bc3fdcf78fd693fd7ea86a68eddf620090ff2755a3aa040ec5978568d353137bb81166ffcc1c01f61ba7013d056991ea4366

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18082e71fbec2d6a40bb806246abd4d2

SHA1
f5c0d00eb1b492d00031823d22159c8fcb0ffbcc

SHA256
734d70d44501b3f6c2b319a4514cd7a31d99fb3f93fa0df8b16c9eb9b11e1035

SHA512
784e09cd9b4e96c3c6711bd05b32bc3fdcf78fd693fd7ea86a68eddf620090ff2755a3aa040ec5978568d353137bb81166ffcc1c01f61ba7013d056991ea4366

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18082e71fbec2d6a40bb806246abd4d2

SHA1
f5c0d00eb1b492d00031823d22159c8fcb0ffbcc

SHA256
734d70d44501b3f6c2b319a4514cd7a31d99fb3f93fa0df8b16c9eb9b11e1035

SHA512
784e09cd9b4e96c3c6711bd05b32bc3fdcf78fd693fd7ea86a68eddf620090ff2755a3aa040ec5978568d353137bb81166ffcc1c01f61ba7013d056991ea4366

Download Submit
\Program Files\update.exe

Filesize
72KB

MD5
18082e71fbec2d6a40bb806246abd4d2

SHA1
f5c0d00eb1b492d00031823d22159c8fcb0ffbcc

SHA256
734d70d44501b3f6c2b319a4514cd7a31d99fb3f93fa0df8b16c9eb9b11e1035

SHA512
784e09cd9b4e96c3c6711bd05b32bc3fdcf78fd693fd7ea86a68eddf620090ff2755a3aa040ec5978568d353137bb81166ffcc1c01f61ba7013d056991ea4366

Download Submit
\Users\Admin\AppData\Local\Temp\946924503\backup.exe

Filesize
72KB

MD5
14cd0098c515a20a2309ee8b22307259

SHA1
5a9362d6adfca05b697ceb85d518348e3255a76d

SHA256
19882acfb1196d51a58a170a420fb4f64177ee913b14a482417cc4bafe51c2f3

SHA512
aa9b31c2f5e0188e1ec5cb33f2b208a04628267d741e793955d2196ff71f926649285018eed1e45bb9977fd8071faf9b2b945de8170eac874e2e17cb49ca1972

Download Submit
\Users\Admin\AppData\Local\Temp\946924503\backup.exe

Filesize
72KB

MD5
14cd0098c515a20a2309ee8b22307259

SHA1
5a9362d6adfca05b697ceb85d518348e3255a76d

SHA256
19882acfb1196d51a58a170a420fb4f64177ee913b14a482417cc4bafe51c2f3

SHA512
aa9b31c2f5e0188e1ec5cb33f2b208a04628267d741e793955d2196ff71f926649285018eed1e45bb9977fd8071faf9b2b945de8170eac874e2e17cb49ca1972

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
7416a8459ca7dfcd8040d264cd0ac59f

SHA1
fd5d1d638925d90af6ea2e8b3701a0b82673eb43

SHA256
d11b5245c34910b345c9241405880202ae0db5d2b0626e0d0fcfe3ecb2698a36

SHA512
4bcff332def26dbcdb08d963e1455b2c0f09286d93ad70d6225b9cbb3aa7aaa959c0832de92d717bf589489593edee89a6574f2700612e3a51b31e61fb98946a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
2fb8a3ed2f3f59d3f8b11009643c2dc5

SHA1
10ae631e6c701cc3d1ec6e17789031cee2109e72

SHA256
d52ad4e7f4f1dcbd6d2194790164617414b65ed317a121a01f8ba09f23578df7

SHA512
d4552f46ed4d5d783f8ecd2bf99881e31dabfbcd190e6608bd0a32aaac25e1afde8428b99666ea74f59f53b47173242ed37580961facd4c3e60842f89aac5297

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
2fb8a3ed2f3f59d3f8b11009643c2dc5

SHA1
10ae631e6c701cc3d1ec6e17789031cee2109e72

SHA256
d52ad4e7f4f1dcbd6d2194790164617414b65ed317a121a01f8ba09f23578df7

SHA512
d4552f46ed4d5d783f8ecd2bf99881e31dabfbcd190e6608bd0a32aaac25e1afde8428b99666ea74f59f53b47173242ed37580961facd4c3e60842f89aac5297

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
03178944e916738560b153706a381c1c

SHA1
4130c02bf36ccaae2cdcd0bd8e54a5278c2f2e7e

SHA256
7684b85f08066d4f2d446be5ee233f89628ec07bf45b851162cedbb825204a52

SHA512
e8cb4fee9b05d5d54aad0be57bad123d22cc1a09eb638b14c665945c5dc6a8b52b0c50b547ca2b983bb7139d812297d6c2b56423631c7f975b9f3ee6afbf6774

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
03178944e916738560b153706a381c1c

SHA1
4130c02bf36ccaae2cdcd0bd8e54a5278c2f2e7e

SHA256
7684b85f08066d4f2d446be5ee233f89628ec07bf45b851162cedbb825204a52

SHA512
e8cb4fee9b05d5d54aad0be57bad123d22cc1a09eb638b14c665945c5dc6a8b52b0c50b547ca2b983bb7139d812297d6c2b56423631c7f975b9f3ee6afbf6774

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
14cd0098c515a20a2309ee8b22307259

SHA1
5a9362d6adfca05b697ceb85d518348e3255a76d

SHA256
19882acfb1196d51a58a170a420fb4f64177ee913b14a482417cc4bafe51c2f3

SHA512
aa9b31c2f5e0188e1ec5cb33f2b208a04628267d741e793955d2196ff71f926649285018eed1e45bb9977fd8071faf9b2b945de8170eac874e2e17cb49ca1972

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
14cd0098c515a20a2309ee8b22307259

SHA1
5a9362d6adfca05b697ceb85d518348e3255a76d

SHA256
19882acfb1196d51a58a170a420fb4f64177ee913b14a482417cc4bafe51c2f3

SHA512
aa9b31c2f5e0188e1ec5cb33f2b208a04628267d741e793955d2196ff71f926649285018eed1e45bb9977fd8071faf9b2b945de8170eac874e2e17cb49ca1972

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
040eae1595bb565e080fcb8af74a0553

SHA1
b572a0a53a29b6763c55d2e56cec599555e62a42

SHA256
5b0c39bda78c88c7dfa68cf39cb1402cda7139dd0368a0aeb9ab2303620dfeed

SHA512
d7ba23b1e1e97ce2f9dfceacd41fe123eb872024210c643640f31c6b975c68e55bed2a0c0750b5f1305c3abd981205028a6daef9a0b6741bb1723e0c7cbf5680

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
040eae1595bb565e080fcb8af74a0553

SHA1
b572a0a53a29b6763c55d2e56cec599555e62a42

SHA256
5b0c39bda78c88c7dfa68cf39cb1402cda7139dd0368a0aeb9ab2303620dfeed

SHA512
d7ba23b1e1e97ce2f9dfceacd41fe123eb872024210c643640f31c6b975c68e55bed2a0c0750b5f1305c3abd981205028a6daef9a0b6741bb1723e0c7cbf5680

Download Submit
memory/584-90-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1992-211-0x0000000073C81000-0x0000000073C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads