2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b

Analysis

max time kernel
80s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
Size

72KB
MD5

4591309ca250fec71bff2155a0475c27
SHA1

43112371a86d82ba882bb3952fba4f54bd6d6cda
SHA256

2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b
SHA512

527fc6833ad4e7a0edf30bf4329a6d0d41bbb6c212410f10784603facae0c5abc3f8e552f976984c25aee4ad06fe41458330537c3c7207abb7f02dc793cf0ee1
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2U:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr4

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 51 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 49 IoCs

pid	Process
1340	update.exe
1200	backup.exe
1324	backup.exe
1308	backup.exe
868	backup.exe
676	backup.exe
1112	backup.exe
1684	backup.exe
1548	data.exe
2016	backup.exe
340	backup.exe
1480	backup.exe
1796	backup.exe
1388	backup.exe
1996	backup.exe
844	backup.exe
1700	System Restore.exe
1168	backup.exe
1264	backup.exe
1252	backup.exe
560	backup.exe
688	backup.exe
316	data.exe
624	backup.exe
392	backup.exe
1004	backup.exe
1692	backup.exe
1668	backup.exe
1624	backup.exe
1828	backup.exe
1100	backup.exe
1840	backup.exe
856	backup.exe
1944	backup.exe
1964	System Restore.exe
1336	backup.exe
1480	backup.exe
1796	backup.exe
1512	data.exe
948	backup.exe
664	backup.exe
780	backup.exe
868	backup.exe
1276	backup.exe
468	backup.exe
836	backup.exe
1112	data.exe
1348	backup.exe
364	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1340	update.exe
1340	update.exe
1340	update.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1684	backup.exe
1684	backup.exe
1548	data.exe
1548	data.exe
1548	data.exe
1548	data.exe
1548	data.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
1684	backup.exe
1684	backup.exe
340	backup.exe
340	backup.exe
340	backup.exe
340	backup.exe
340	backup.exe
1480	backup.exe
1480	backup.exe
1480	backup.exe
1480	backup.exe
1480	backup.exe
1796	backup.exe
1796	backup.exe
1796	backup.exe
340	backup.exe
340	backup.exe
1388	backup.exe
1388	backup.exe
1388	backup.exe
1280	backup.exe
1280	backup.exe
1996	backup.exe
1996	backup.exe
1996	backup.exe
1280	backup.exe
1280	backup.exe
844	backup.exe
844	backup.exe
844	backup.exe
844	backup.exe
844	backup.exe
1700	System Restore.exe
1700	System Restore.exe
1700	System Restore.exe
844	backup.exe
844	backup.exe
1168	backup.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
1340	update.exe
1200	backup.exe
1324	backup.exe
1308	backup.exe
868	backup.exe
676	backup.exe
1112	backup.exe
1684	backup.exe
1548	data.exe
2016	backup.exe
340	backup.exe
1480	backup.exe
1796	backup.exe
1280	backup.exe
1996	backup.exe
844	backup.exe
1700	System Restore.exe
1168	backup.exe
1264	backup.exe
1252	backup.exe
560	backup.exe
688	backup.exe
316	data.exe
624	backup.exe
392	backup.exe
1004	backup.exe
1692	backup.exe
1668	backup.exe
1624	backup.exe
1828	backup.exe
1100	backup.exe
1840	backup.exe
856	backup.exe
1944	backup.exe
1964	System Restore.exe
1336	backup.exe
1748	backup.exe
1480	backup.exe
1796	backup.exe
1512	data.exe
948	backup.exe
664	backup.exe
780	backup.exe
1276	backup.exe
868	backup.exe
468	backup.exe
836	backup.exe
1348	backup.exe
1112	data.exe
364	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1340	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	28
PID 1756 wrote to memory of 1340	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	28
PID 1756 wrote to memory of 1340	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	28
PID 1756 wrote to memory of 1340	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	28
PID 1756 wrote to memory of 1340	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	28
PID 1756 wrote to memory of 1340	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	28
PID 1756 wrote to memory of 1340	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	28
PID 1756 wrote to memory of 1200	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	29
PID 1756 wrote to memory of 1200	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	29
PID 1756 wrote to memory of 1200	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	29
PID 1756 wrote to memory of 1200	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	29
PID 1756 wrote to memory of 1324	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	30
PID 1756 wrote to memory of 1324	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	30
PID 1756 wrote to memory of 1324	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	30
PID 1756 wrote to memory of 1324	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	30
PID 1756 wrote to memory of 1308	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	31
PID 1756 wrote to memory of 1308	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	31
PID 1756 wrote to memory of 1308	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	31
PID 1756 wrote to memory of 1308	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	31
PID 1756 wrote to memory of 868	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	32
PID 1756 wrote to memory of 868	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	32
PID 1756 wrote to memory of 868	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	32
PID 1756 wrote to memory of 868	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	32
PID 1756 wrote to memory of 676	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	33
PID 1756 wrote to memory of 676	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	33
PID 1756 wrote to memory of 676	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	33
PID 1756 wrote to memory of 676	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	33
PID 1756 wrote to memory of 1112	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	34
PID 1756 wrote to memory of 1112	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	34
PID 1756 wrote to memory of 1112	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	34
PID 1756 wrote to memory of 1112	1756	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe	34
PID 1340 wrote to memory of 1684	1340	update.exe	35
PID 1340 wrote to memory of 1684	1340	update.exe	35
PID 1340 wrote to memory of 1684	1340	update.exe	35
PID 1340 wrote to memory of 1684	1340	update.exe	35
PID 1340 wrote to memory of 1684	1340	update.exe	35
PID 1340 wrote to memory of 1684	1340	update.exe	35
PID 1340 wrote to memory of 1684	1340	update.exe	35
PID 1684 wrote to memory of 1548	1684	backup.exe	36
PID 1684 wrote to memory of 1548	1684	backup.exe	36
PID 1684 wrote to memory of 1548	1684	backup.exe	36
PID 1684 wrote to memory of 1548	1684	backup.exe	36
PID 1684 wrote to memory of 1548	1684	backup.exe	36
PID 1684 wrote to memory of 1548	1684	backup.exe	36
PID 1684 wrote to memory of 1548	1684	backup.exe	36
PID 1548 wrote to memory of 2016	1548	data.exe	37
PID 1548 wrote to memory of 2016	1548	data.exe	37
PID 1548 wrote to memory of 2016	1548	data.exe	37
PID 1548 wrote to memory of 2016	1548	data.exe	37
PID 1548 wrote to memory of 2016	1548	data.exe	37
PID 1548 wrote to memory of 2016	1548	data.exe	37
PID 1548 wrote to memory of 2016	1548	data.exe	37
PID 1684 wrote to memory of 340	1684	backup.exe	38
PID 1684 wrote to memory of 340	1684	backup.exe	38
PID 1684 wrote to memory of 340	1684	backup.exe	38
PID 1684 wrote to memory of 340	1684	backup.exe	38
PID 1684 wrote to memory of 340	1684	backup.exe	38
PID 1684 wrote to memory of 340	1684	backup.exe	38
PID 1684 wrote to memory of 340	1684	backup.exe	38
PID 340 wrote to memory of 1480	340	backup.exe	39
PID 340 wrote to memory of 1480	340	backup.exe	39
PID 340 wrote to memory of 1480	340	backup.exe	39
PID 340 wrote to memory of 1480	340	backup.exe	39
PID 340 wrote to memory of 1480	340	backup.exe	39

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe
"C:\Users\Admin\AppData\Local\Temp\2ded2428eed4cc12de77db8e614edec1a6e7057d6639279b3a9c70a2af77c32b.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1756
- C:\Users\Admin\AppData\Local\Temp\67955928\update.exe
  C:\Users\Admin\AppData\Local\Temp\67955928\update.exe C:\Users\Admin\AppData\Local\Temp\67955928\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1684
  - - C:\PerfLogs\data.exe
      C:\PerfLogs\data.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1548
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:340
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1796
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        System policy modification
        
        PID:1388
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1512
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:1232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1348
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1320
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:560
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:924
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2404
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1748
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:832
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:1436
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1168
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2288
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1796
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1572
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2208
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1336
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:664
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:836
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1672
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1716
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1064
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:988
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:872
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:2184
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:324
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1744
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:868
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:952
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2004
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1580
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2232
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2380
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1620
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1668
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1672
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1316
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:2296
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:948
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:468
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:1932
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1352
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2420
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:108
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:568
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1924
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:628
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1392
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1164
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:268
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1200
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:2192
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1956
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:324
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2224
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2388
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1528
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1536
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1684
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2216
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2396
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1804
    - - C:\Program Files (x86)\Microsoft Office\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\data.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1692
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2372
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      PID:1688
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:364
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2412
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1108
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:868
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:676
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4bf49c0d7ec6eb7902e6df6ffed7567e

SHA1
615546dc1289da982044b1752d37a1e92a1cbebf

SHA256
a40d0b741dc90b7da6ab599b623318f103c8f3a2f62e17b6e4b0bde675a6015d

SHA512
7001e8c6c90d99378e20f5253a6c26b7ded3c84aa10e370e8baf1192dae5042f7a86f446745ad7408d893aceaddebdda44e4ab8d7289e5d104d946e501b23044

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4bf49c0d7ec6eb7902e6df6ffed7567e

SHA1
615546dc1289da982044b1752d37a1e92a1cbebf

SHA256
a40d0b741dc90b7da6ab599b623318f103c8f3a2f62e17b6e4b0bde675a6015d

SHA512
7001e8c6c90d99378e20f5253a6c26b7ded3c84aa10e370e8baf1192dae5042f7a86f446745ad7408d893aceaddebdda44e4ab8d7289e5d104d946e501b23044

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
859f038cd193fb872c0228d8452731e4

SHA1
22c03effa3f217bc3f4cc127587289dfb3b08edd

SHA256
698a8fd031bbb96ede0b0d63c51ee1d445fef562ee09151212eb764fc518117d

SHA512
128dce9b0138b02fbaadbf4b7633bc3bbad6f3bad063df6d72c1954bc17773021e3d88f2191834bbe4173b2e04e82530efffa80456cc5978a809dcc366dcedaf

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
859f038cd193fb872c0228d8452731e4

SHA1
22c03effa3f217bc3f4cc127587289dfb3b08edd

SHA256
698a8fd031bbb96ede0b0d63c51ee1d445fef562ee09151212eb764fc518117d

SHA512
128dce9b0138b02fbaadbf4b7633bc3bbad6f3bad063df6d72c1954bc17773021e3d88f2191834bbe4173b2e04e82530efffa80456cc5978a809dcc366dcedaf

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
09ea6cda258541e5350f3c5f8eeebfe0

SHA1
3ed38383e3052ba3b3db86ee9eee586e074ca841

SHA256
5dae5a610ad6f115f1982cd3a3d58e517d4fd53ec0bd0b6fffcf7345c22a81b5

SHA512
763eb1e204424b76ea80da7ec2f3307bc046ec18a30e845bdcf4f2744e22bebcb4b830847033cb61bf8a632a214fea5ef034ae72929f74e39d7e1b5cd6bd7ff6

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
09ea6cda258541e5350f3c5f8eeebfe0

SHA1
3ed38383e3052ba3b3db86ee9eee586e074ca841

SHA256
5dae5a610ad6f115f1982cd3a3d58e517d4fd53ec0bd0b6fffcf7345c22a81b5

SHA512
763eb1e204424b76ea80da7ec2f3307bc046ec18a30e845bdcf4f2744e22bebcb4b830847033cb61bf8a632a214fea5ef034ae72929f74e39d7e1b5cd6bd7ff6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
6e636987ab296817e7233adc0d9c89e7

SHA1
843eabcab5570c3c2c57e34759dbcbb657b17332

SHA256
8f0ad1c6344ff9897f5818776bf21633e2317f985411bdc9784701545824423b

SHA512
ffe7b2478454bee152e921e5850bc6fcb1adde1a11f74e540def35b6199eec407fa246001bbcfc8bdeea845624f58013a79dfb5c3c44c40f6f268617df9b867e

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
6e636987ab296817e7233adc0d9c89e7

SHA1
843eabcab5570c3c2c57e34759dbcbb657b17332

SHA256
8f0ad1c6344ff9897f5818776bf21633e2317f985411bdc9784701545824423b

SHA512
ffe7b2478454bee152e921e5850bc6fcb1adde1a11f74e540def35b6199eec407fa246001bbcfc8bdeea845624f58013a79dfb5c3c44c40f6f268617df9b867e

Download Submit
C:\Users\Admin\AppData\Local\Temp\67955928\update.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
C:\Users\Admin\AppData\Local\Temp\67955928\update.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4af001763902c95c056242e54b6196d2

SHA1
3c5058e2e14d2c3f9436304a5459a5195d8dbef9

SHA256
83d718a79b94985671a297f28a41cfe25039b7a5a5ce7b025b09edaaa804bc55

SHA512
15c2f29d13d07aab1941387f75ec5f6b913ec49b07dd77416c93512cdbf067a6b72fa5932a41ab4d68f5f1d67d61a702318cd24a72ab19a53bc53dab7a2a4db1

Download Submit
C:\backup.exe

Filesize
72KB

MD5
4af001763902c95c056242e54b6196d2

SHA1
3c5058e2e14d2c3f9436304a5459a5195d8dbef9

SHA256
83d718a79b94985671a297f28a41cfe25039b7a5a5ce7b025b09edaaa804bc55

SHA512
15c2f29d13d07aab1941387f75ec5f6b913ec49b07dd77416c93512cdbf067a6b72fa5932a41ab4d68f5f1d67d61a702318cd24a72ab19a53bc53dab7a2a4db1

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4bf49c0d7ec6eb7902e6df6ffed7567e

SHA1
615546dc1289da982044b1752d37a1e92a1cbebf

SHA256
a40d0b741dc90b7da6ab599b623318f103c8f3a2f62e17b6e4b0bde675a6015d

SHA512
7001e8c6c90d99378e20f5253a6c26b7ded3c84aa10e370e8baf1192dae5042f7a86f446745ad7408d893aceaddebdda44e4ab8d7289e5d104d946e501b23044

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4bf49c0d7ec6eb7902e6df6ffed7567e

SHA1
615546dc1289da982044b1752d37a1e92a1cbebf

SHA256
a40d0b741dc90b7da6ab599b623318f103c8f3a2f62e17b6e4b0bde675a6015d

SHA512
7001e8c6c90d99378e20f5253a6c26b7ded3c84aa10e370e8baf1192dae5042f7a86f446745ad7408d893aceaddebdda44e4ab8d7289e5d104d946e501b23044

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4bf49c0d7ec6eb7902e6df6ffed7567e

SHA1
615546dc1289da982044b1752d37a1e92a1cbebf

SHA256
a40d0b741dc90b7da6ab599b623318f103c8f3a2f62e17b6e4b0bde675a6015d

SHA512
7001e8c6c90d99378e20f5253a6c26b7ded3c84aa10e370e8baf1192dae5042f7a86f446745ad7408d893aceaddebdda44e4ab8d7289e5d104d946e501b23044

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4bf49c0d7ec6eb7902e6df6ffed7567e

SHA1
615546dc1289da982044b1752d37a1e92a1cbebf

SHA256
a40d0b741dc90b7da6ab599b623318f103c8f3a2f62e17b6e4b0bde675a6015d

SHA512
7001e8c6c90d99378e20f5253a6c26b7ded3c84aa10e370e8baf1192dae5042f7a86f446745ad7408d893aceaddebdda44e4ab8d7289e5d104d946e501b23044

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
4bf49c0d7ec6eb7902e6df6ffed7567e

SHA1
615546dc1289da982044b1752d37a1e92a1cbebf

SHA256
a40d0b741dc90b7da6ab599b623318f103c8f3a2f62e17b6e4b0bde675a6015d

SHA512
7001e8c6c90d99378e20f5253a6c26b7ded3c84aa10e370e8baf1192dae5042f7a86f446745ad7408d893aceaddebdda44e4ab8d7289e5d104d946e501b23044

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
859f038cd193fb872c0228d8452731e4

SHA1
22c03effa3f217bc3f4cc127587289dfb3b08edd

SHA256
698a8fd031bbb96ede0b0d63c51ee1d445fef562ee09151212eb764fc518117d

SHA512
128dce9b0138b02fbaadbf4b7633bc3bbad6f3bad063df6d72c1954bc17773021e3d88f2191834bbe4173b2e04e82530efffa80456cc5978a809dcc366dcedaf

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
859f038cd193fb872c0228d8452731e4

SHA1
22c03effa3f217bc3f4cc127587289dfb3b08edd

SHA256
698a8fd031bbb96ede0b0d63c51ee1d445fef562ee09151212eb764fc518117d

SHA512
128dce9b0138b02fbaadbf4b7633bc3bbad6f3bad063df6d72c1954bc17773021e3d88f2191834bbe4173b2e04e82530efffa80456cc5978a809dcc366dcedaf

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
859f038cd193fb872c0228d8452731e4

SHA1
22c03effa3f217bc3f4cc127587289dfb3b08edd

SHA256
698a8fd031bbb96ede0b0d63c51ee1d445fef562ee09151212eb764fc518117d

SHA512
128dce9b0138b02fbaadbf4b7633bc3bbad6f3bad063df6d72c1954bc17773021e3d88f2191834bbe4173b2e04e82530efffa80456cc5978a809dcc366dcedaf

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
859f038cd193fb872c0228d8452731e4

SHA1
22c03effa3f217bc3f4cc127587289dfb3b08edd

SHA256
698a8fd031bbb96ede0b0d63c51ee1d445fef562ee09151212eb764fc518117d

SHA512
128dce9b0138b02fbaadbf4b7633bc3bbad6f3bad063df6d72c1954bc17773021e3d88f2191834bbe4173b2e04e82530efffa80456cc5978a809dcc366dcedaf

Download Submit
\PerfLogs\data.exe

Filesize
72KB

MD5
859f038cd193fb872c0228d8452731e4

SHA1
22c03effa3f217bc3f4cc127587289dfb3b08edd

SHA256
698a8fd031bbb96ede0b0d63c51ee1d445fef562ee09151212eb764fc518117d

SHA512
128dce9b0138b02fbaadbf4b7633bc3bbad6f3bad063df6d72c1954bc17773021e3d88f2191834bbe4173b2e04e82530efffa80456cc5978a809dcc366dcedaf

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
09ea6cda258541e5350f3c5f8eeebfe0

SHA1
3ed38383e3052ba3b3db86ee9eee586e074ca841

SHA256
5dae5a610ad6f115f1982cd3a3d58e517d4fd53ec0bd0b6fffcf7345c22a81b5

SHA512
763eb1e204424b76ea80da7ec2f3307bc046ec18a30e845bdcf4f2744e22bebcb4b830847033cb61bf8a632a214fea5ef034ae72929f74e39d7e1b5cd6bd7ff6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
09ea6cda258541e5350f3c5f8eeebfe0

SHA1
3ed38383e3052ba3b3db86ee9eee586e074ca841

SHA256
5dae5a610ad6f115f1982cd3a3d58e517d4fd53ec0bd0b6fffcf7345c22a81b5

SHA512
763eb1e204424b76ea80da7ec2f3307bc046ec18a30e845bdcf4f2744e22bebcb4b830847033cb61bf8a632a214fea5ef034ae72929f74e39d7e1b5cd6bd7ff6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
09ea6cda258541e5350f3c5f8eeebfe0

SHA1
3ed38383e3052ba3b3db86ee9eee586e074ca841

SHA256
5dae5a610ad6f115f1982cd3a3d58e517d4fd53ec0bd0b6fffcf7345c22a81b5

SHA512
763eb1e204424b76ea80da7ec2f3307bc046ec18a30e845bdcf4f2744e22bebcb4b830847033cb61bf8a632a214fea5ef034ae72929f74e39d7e1b5cd6bd7ff6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
09ea6cda258541e5350f3c5f8eeebfe0

SHA1
3ed38383e3052ba3b3db86ee9eee586e074ca841

SHA256
5dae5a610ad6f115f1982cd3a3d58e517d4fd53ec0bd0b6fffcf7345c22a81b5

SHA512
763eb1e204424b76ea80da7ec2f3307bc046ec18a30e845bdcf4f2744e22bebcb4b830847033cb61bf8a632a214fea5ef034ae72929f74e39d7e1b5cd6bd7ff6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
09ea6cda258541e5350f3c5f8eeebfe0

SHA1
3ed38383e3052ba3b3db86ee9eee586e074ca841

SHA256
5dae5a610ad6f115f1982cd3a3d58e517d4fd53ec0bd0b6fffcf7345c22a81b5

SHA512
763eb1e204424b76ea80da7ec2f3307bc046ec18a30e845bdcf4f2744e22bebcb4b830847033cb61bf8a632a214fea5ef034ae72929f74e39d7e1b5cd6bd7ff6

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
5c47fe92df4d039a3d7eade31b311e1c

SHA1
0059740d6e7fb60f61c013b6d4d0c73aa16ffe8f

SHA256
2cb17a469c6ef93690f395b1f7a41ba9ac35941b8a0d529ef731d177484a2604

SHA512
7566acaeb05b2aacfda66e753587ef4ca9fee6861096157778452af7d6c68cb509c6043e547d01156fd8fd59a35f52338cbb9ab9c6944453e196cf656693f7b3

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6e636987ab296817e7233adc0d9c89e7

SHA1
843eabcab5570c3c2c57e34759dbcbb657b17332

SHA256
8f0ad1c6344ff9897f5818776bf21633e2317f985411bdc9784701545824423b

SHA512
ffe7b2478454bee152e921e5850bc6fcb1adde1a11f74e540def35b6199eec407fa246001bbcfc8bdeea845624f58013a79dfb5c3c44c40f6f268617df9b867e

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6e636987ab296817e7233adc0d9c89e7

SHA1
843eabcab5570c3c2c57e34759dbcbb657b17332

SHA256
8f0ad1c6344ff9897f5818776bf21633e2317f985411bdc9784701545824423b

SHA512
ffe7b2478454bee152e921e5850bc6fcb1adde1a11f74e540def35b6199eec407fa246001bbcfc8bdeea845624f58013a79dfb5c3c44c40f6f268617df9b867e

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6e636987ab296817e7233adc0d9c89e7

SHA1
843eabcab5570c3c2c57e34759dbcbb657b17332

SHA256
8f0ad1c6344ff9897f5818776bf21633e2317f985411bdc9784701545824423b

SHA512
ffe7b2478454bee152e921e5850bc6fcb1adde1a11f74e540def35b6199eec407fa246001bbcfc8bdeea845624f58013a79dfb5c3c44c40f6f268617df9b867e

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6e636987ab296817e7233adc0d9c89e7

SHA1
843eabcab5570c3c2c57e34759dbcbb657b17332

SHA256
8f0ad1c6344ff9897f5818776bf21633e2317f985411bdc9784701545824423b

SHA512
ffe7b2478454bee152e921e5850bc6fcb1adde1a11f74e540def35b6199eec407fa246001bbcfc8bdeea845624f58013a79dfb5c3c44c40f6f268617df9b867e

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
6e636987ab296817e7233adc0d9c89e7

SHA1
843eabcab5570c3c2c57e34759dbcbb657b17332

SHA256
8f0ad1c6344ff9897f5818776bf21633e2317f985411bdc9784701545824423b

SHA512
ffe7b2478454bee152e921e5850bc6fcb1adde1a11f74e540def35b6199eec407fa246001bbcfc8bdeea845624f58013a79dfb5c3c44c40f6f268617df9b867e

Download Submit
\Users\Admin\AppData\Local\Temp\67955928\update.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\67955928\update.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\67955928\update.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\67955928\update.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b23296bf8a2ad0a72574ec2d40097800

SHA1
8eb27a864c0e2b7fd95875aad3c0c59751a519ca

SHA256
e66985634d11434a9885f3398c4607be5959edc4dc852e29e2406d81c821c60a

SHA512
fb2a3fc2f885fe47e9c7d619e20f3df6c75b75eeddaa70ae3ad2f216643e7d9f1021b2c88824d2dc9c7d223282cee9abbd65a333c936be8b433ddb90a1fc215c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e0e31bfe78ca4fc73b3ceaa22865e972

SHA1
f5ec5d1f6dbba04bfc9e90ce82f2cba057242110

SHA256
e47b8ccd74cfdaef07ca917b6214d7e011efeaf29a0f94d7061a07465cf88aa1

SHA512
7c413b8bdfc63f34c69722bcbf4a58bf54623ce4500beef79962ebd773cc27e76b1b3bc8fe543c323e5709c559dad052abed41d3ba49defbdb79cb8ad091fb96

Download Submit
memory/1340-60-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1756-164-0x00000000745B1000-0x00000000745B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads