cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
Size

182KB
MD5

999605f17b31cd7064a5b3d0cd6c84e7
SHA1

a3285c173ed94b23f4e5c184b08504a57b196199
SHA256

cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e
SHA512

1bd55c08a628b2b230208227cce87fa359c76f1b31dff04226f5ed9dd51e222c98271c7c59608934898fb51e22f14ac2a5806bb6f8a36c1a9319382683a7372a
SSDEEP

1536:heT7BVwxfvEFwjRs1PDXFi0VvBYv3kZtAV7ZBbP1yVGqV6zSVSGzsNE0o:hmVwRKCULFlav+m7ZB5e3V6z1GzCW

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 47 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

UPX dump on OEP (original entry point) 54 IoCs

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x0031000000014230-5.dat	UPX
behavioral1/memory/1548-12-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2608-29-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2340-57-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2528-50-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2856-62-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x000a00000001459f-60.dat	UPX
behavioral1/memory/2512-71-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1548-79-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x003300000001424e-87.dat	UPX
behavioral1/files/0x000600000001567f-95.dat	UPX
behavioral1/files/0x000600000001566b-97.dat	UPX
behavioral1/memory/2428-116-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x0007000000015661-119.dat	UPX
behavioral1/memory/2572-125-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x0007000000015661-126.dat	UPX
behavioral1/memory/2412-130-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x0006000000015ca6-133.dat	UPX
behavioral1/memory/2796-115-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2412-142-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2828-143-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x000800000001568c-144.dat	UPX
behavioral1/files/0x0007000000015be6-154.dat	UPX
behavioral1/files/0x0006000000015ce1-163.dat	UPX
behavioral1/memory/2960-175-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1240-181-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1632-182-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x0007000000015cba-184.dat	UPX
behavioral1/files/0x0007000000015d07-201.dat	UPX
behavioral1/memory/2756-196-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2080-208-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x0007000000015d28-218.dat	UPX
behavioral1/memory/1240-211-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2276-220-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/files/0x0006000000015d56-229.dat	UPX
behavioral1/memory/1440-234-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1848-250-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2140-260-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1028-269-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2572-268-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2136-286-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/692-294-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1192-307-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/704-315-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1848-318-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/608-323-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1028-327-0x0000000000290000-0x00000000002B9000-memory.dmp	UPX
behavioral1/memory/2212-331-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1028-336-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2172-341-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1284-349-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/1284-347-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral1/memory/2564-357-0x0000000000400000-0x0000000000429000-memory.dmp	UPX

Executes dropped EXE 49 IoCs

pid	Process
1548	backup.exe
2608	backup.exe
2572	backup.exe
2528	backup.exe
2856	backup.exe
2512	backup.exe
2428	backup.exe
2960	backup.exe
2828	backup.exe
2796	backup.exe
2412	backup.exe
1632	backup.exe
1440	System Restore.exe
2756	update.exe
1240	backup.exe
2080	backup.exe
2276	backup.exe
704	backup.exe
1848	backup.exe
2140	backup.exe
1028	backup.exe
2136	backup.exe
692	backup.exe
1192	backup.exe
2256	backup.exe
608	backup.exe
2212	backup.exe
2172	backup.exe
1284	backup.exe
2564	backup.exe
2628	backup.exe
2032	backup.exe
2460	backup.exe
2592	backup.exe
2664	backup.exe
1972	backup.exe
2812	backup.exe
2992	backup.exe
2428	backup.exe
2732	data.exe
1308	backup.exe
2612	backup.exe
2772	backup.exe
1092	backup.exe
1228	backup.exe
2248	backup.exe
1944	backup.exe
3016	backup.exe
2104	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2428	backup.exe
2960	backup.exe
2960	backup.exe
2428	backup.exe
2828	backup.exe
2828	backup.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2960	backup.exe
2960	backup.exe
1632	backup.exe
1440	System Restore.exe
1440	System Restore.exe
2756	update.exe
2756	update.exe
2756	update.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
1240	backup.exe
1240	backup.exe
1440	System Restore.exe
1440	System Restore.exe
704	backup.exe
704	backup.exe
1848	backup.exe
1848	backup.exe
1848	backup.exe
1848	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe
1028	backup.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0031000000014230-5.dat	upx
behavioral1/memory/1548-12-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2608-29-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2340-57-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2528-50-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2856-62-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x000a00000001459f-60.dat	upx
behavioral1/memory/2512-71-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1548-79-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x003300000001424e-87.dat	upx
behavioral1/files/0x000600000001567f-95.dat	upx
behavioral1/files/0x000600000001566b-97.dat	upx
behavioral1/memory/2428-116-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0007000000015661-119.dat	upx
behavioral1/memory/2572-125-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0007000000015661-126.dat	upx
behavioral1/memory/2412-130-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0006000000015ca6-133.dat	upx
behavioral1/memory/2796-115-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2412-142-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2828-143-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x000800000001568c-144.dat	upx
behavioral1/files/0x0007000000015be6-154.dat	upx
behavioral1/files/0x0006000000015ce1-163.dat	upx
behavioral1/memory/2960-175-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1240-181-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1632-182-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0007000000015cba-184.dat	upx
behavioral1/files/0x0007000000015d07-201.dat	upx
behavioral1/memory/2756-196-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2080-208-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0007000000015d28-218.dat	upx
behavioral1/memory/1240-211-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2276-220-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0006000000015d56-229.dat	upx
behavioral1/memory/1440-234-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1848-250-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2140-260-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1028-269-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2572-268-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2136-286-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/692-294-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1192-307-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/704-315-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1848-318-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/608-323-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1028-327-0x0000000000290000-0x00000000002B9000-memory.dmp	upx
behavioral1/memory/2212-331-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1028-336-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2172-341-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1284-349-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1284-347-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2564-357-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/1028-364-0x0000000000290000-0x00000000002B9000-memory.dmp	upx

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
1548	backup.exe
2608	backup.exe
2572	backup.exe
2528	backup.exe
2856	backup.exe
2512	backup.exe
2960	backup.exe
2428	backup.exe
2796	backup.exe
2828	backup.exe
2412	backup.exe
1632	backup.exe
1440	System Restore.exe
1240	backup.exe
2756	update.exe
2080	backup.exe
2276	backup.exe
704	backup.exe
1848	backup.exe
2140	backup.exe
1028	backup.exe
2136	backup.exe
692	backup.exe
1192	backup.exe
2256	backup.exe
608	backup.exe
2212	backup.exe
2172	backup.exe
1284	backup.exe
2564	backup.exe
2628	backup.exe
2032	backup.exe
2460	backup.exe
2592	backup.exe
2664	backup.exe
1972	backup.exe
2812	backup.exe
2992	backup.exe
2428	backup.exe
2732	data.exe
1308	backup.exe
2612	backup.exe
2772	backup.exe
1092	backup.exe
1228	backup.exe
2248	backup.exe
3016	backup.exe
1944	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1548	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	28
PID 2340 wrote to memory of 1548	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	28
PID 2340 wrote to memory of 1548	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	28
PID 2340 wrote to memory of 1548	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	28
PID 2340 wrote to memory of 2608	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	29
PID 2340 wrote to memory of 2608	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	29
PID 2340 wrote to memory of 2608	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	29
PID 2340 wrote to memory of 2608	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	29
PID 2340 wrote to memory of 2572	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	30
PID 2340 wrote to memory of 2572	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	30
PID 2340 wrote to memory of 2572	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	30
PID 2340 wrote to memory of 2572	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	30
PID 2340 wrote to memory of 2528	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	31
PID 2340 wrote to memory of 2528	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	31
PID 2340 wrote to memory of 2528	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	31
PID 2340 wrote to memory of 2528	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	31
PID 2340 wrote to memory of 2856	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	32
PID 2340 wrote to memory of 2856	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	32
PID 2340 wrote to memory of 2856	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	32
PID 2340 wrote to memory of 2856	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	32
PID 2340 wrote to memory of 2512	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	33
PID 2340 wrote to memory of 2512	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	33
PID 2340 wrote to memory of 2512	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	33
PID 2340 wrote to memory of 2512	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	33
PID 2340 wrote to memory of 2428	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	34
PID 2340 wrote to memory of 2428	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	34
PID 2340 wrote to memory of 2428	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	34
PID 2340 wrote to memory of 2428	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	34
PID 1548 wrote to memory of 2960	1548	backup.exe	35
PID 1548 wrote to memory of 2960	1548	backup.exe	35
PID 1548 wrote to memory of 2960	1548	backup.exe	35
PID 1548 wrote to memory of 2960	1548	backup.exe	35
PID 2960 wrote to memory of 2828	2960	backup.exe	37
PID 2960 wrote to memory of 2828	2960	backup.exe	37
PID 2960 wrote to memory of 2828	2960	backup.exe	37
PID 2960 wrote to memory of 2828	2960	backup.exe	37
PID 2428 wrote to memory of 2796	2428	backup.exe	36
PID 2428 wrote to memory of 2796	2428	backup.exe	36
PID 2428 wrote to memory of 2796	2428	backup.exe	36
PID 2428 wrote to memory of 2796	2428	backup.exe	36
PID 2828 wrote to memory of 2412	2828	backup.exe	38
PID 2828 wrote to memory of 2412	2828	backup.exe	38
PID 2828 wrote to memory of 2412	2828	backup.exe	38
PID 2828 wrote to memory of 2412	2828	backup.exe	38
PID 2340 wrote to memory of 1632	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	39
PID 2340 wrote to memory of 1632	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	39
PID 2340 wrote to memory of 1632	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	39
PID 2340 wrote to memory of 1632	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	39
PID 2960 wrote to memory of 1440	2960	backup.exe	40
PID 2960 wrote to memory of 1440	2960	backup.exe	40
PID 2960 wrote to memory of 1440	2960	backup.exe	40
PID 2960 wrote to memory of 1440	2960	backup.exe	40
PID 1632 wrote to memory of 2756	1632	backup.exe	41
PID 1632 wrote to memory of 2756	1632	backup.exe	41
PID 1632 wrote to memory of 2756	1632	backup.exe	41
PID 1632 wrote to memory of 2756	1632	backup.exe	41
PID 1632 wrote to memory of 2756	1632	backup.exe	41
PID 1632 wrote to memory of 2756	1632	backup.exe	41
PID 1632 wrote to memory of 2756	1632	backup.exe	41
PID 1440 wrote to memory of 1240	1440	System Restore.exe	42
PID 1440 wrote to memory of 1240	1440	System Restore.exe	42
PID 1440 wrote to memory of 1240	1440	System Restore.exe	42
PID 1440 wrote to memory of 1240	1440	System Restore.exe	42
PID 2340 wrote to memory of 2080	2340	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe
"C:\Users\Admin\AppData\Local\Temp\cbb303b5e74a1da86eb55cef26905c3181fe744535ac206e335fbec9317a846e.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
- C:\Users\Admin\AppData\Local\Temp\406315420\backup.exe
  C:\Users\Admin\AppData\Local\Temp\406315420\backup.exe C:\Users\Admin\AppData\Local\Temp\406315420\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1548
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2960
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2828
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2412
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1440
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1240
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:704
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1848
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2256
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2628
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1092
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:2572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:2080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2484
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:1252
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2968
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1812
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1380
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:996
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2280
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2888
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1752
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1820
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2576
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2088
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:1964
      - C:\Program Files\DVD Maker\de-DE\data.exe
        
        "C:\Program Files\DVD Maker\de-DE\data.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2292
      - C:\Program Files\DVD Maker\en-US\update.exe
        
        "C:\Program Files\DVD Maker\en-US\update.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:868
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2848
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2496
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1620
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:828
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1704
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2552
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2440
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:628
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2668
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2996
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2880
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2304
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2540
    - - C:\Program Files\MSBuild\data.exe
        
        "C:\Program Files\MSBuild\data.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2192
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1652
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1944
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:2392
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1104
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2320
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1568
    - - C:\Program Files (x86)\Common Files\update.exe
        
        "C:\Program Files (x86)\Common Files\update.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2700
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2676
      - C:\Program Files (x86)\Common Files\Adobe AIR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2760
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1480
    - - C:\Program Files (x86)\Google\data.exe
        
        "C:\Program Files (x86)\Google\data.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2820
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2492
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1648
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2200
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2364
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2352
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2904
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1532
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2556
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2444
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\update.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
64KB

MD5
4ce2af46d067235da8219dd4bdce7aee

SHA1
5290e6074331577a6dd3a51e55c9ff99c6029f48

SHA256
f27ba3242fbf3d955436e89263aeb936ee956e8413237db8df46f6f9c9ba02fc

SHA512
3aa9aea4be5014b511479f40fe8e0496849d27c5ad2019f3fdfcb4b0215f68c399355c78a16d6e56feb76660ebbd8c0c7059ca93f90bc212f80df46b3b9f1607

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
182KB

MD5
4cbe4554b5e7f2f32b026ec92f9de35e

SHA1
9959c1c4f6e87c3b0916725473b095c3ca4389bd

SHA256
3e6f834e80ac370e972e18daedb33e5b50a925ca4a80f8e8abcd605562540eb5

SHA512
496d4d111f8c70913c09f740d6841f9c16125c3883ed8db9d148ab4ae05e5a17f9443559effab59239cb18c42b0f7ecb77fdf7f3c74775ca3fe681c16ff7b9f6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
182KB

MD5
8eb146d9592e30c3a7a82af1f02852bf

SHA1
39a67875a82deff236be1bee3f8291ef8bcab42e

SHA256
9eec5615c2f40be08fc1c6d8d5892fc822f01fa97e117a3b08cdbc6ef5ba16b8

SHA512
96da56ccf4fd301abcb7b7d6c7ebe92f2c819f58a3765a762aa4d3ecb1f20664dcd1ec6eab4a7d8f535adcbd37c0e284f3540e9063271d9ebf18ea57a0d5af45

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
50KB

MD5
af1f3d63c779df9f9f076514a75a8b5a

SHA1
5212d744b7067943500f28ae7f9addbcf011767a

SHA256
1f72b4b5f0d2e2ed3b9e8cbb090027c67548b1a246f139b83d96e1c4489b3936

SHA512
04b9f44d9baa832d6c57dd1b70b96a8fecfe49720c9e2c908a9cc0282352a0d1c8261baeebd27a3910dbde42829ddc350dd05ca99cc074e7488bc1cbef39ca58

Download Submit
C:\backup.exe

Filesize
182KB

MD5
e21fac3491b7957ed3b0e79c76ec86e1

SHA1
72591fa9352cac29f90ceb0942c306d95dad9bbb

SHA256
fc04f7e1a64b1893e199138db39047f32444705ff5bd7eac05e3e604cdecc38d

SHA512
ef5d8e76ff9d2a9c11373fcc197a7f2c470a86ccf8c895b7b7df5d7a710904eb08ed2c80c7822b1cebe28e7a78c384acc1f6c7b6e6d80030d1b7da0030f05a5c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
182KB

MD5
60ba3dbf3bcf9c681f0caaa72966cd1c

SHA1
ae2f02d2cf18959c4fd6da312e3d2de23cadda01

SHA256
b138a4e5a9900d3a5d7d9defbf8c56d1eec6d773ae641d14db6befd1c8d531b9

SHA512
70919b00745e885c3e6f3b32af896bf307508e3c64a00d23f55919bfcfe4787e343fc1321e06be1e2e92971fa48382863f570b62b819b08b1b213201982d4fe7

Download Submit
\PerfLogs\backup.exe

Filesize
182KB

MD5
795946088c2d76a16aa2e3c8535e1ebe

SHA1
39dd5b7544eaef3d514b76319d9f39762b2d2756

SHA256
46e9b543bb1c23a11b7064534a6ff586e19bcf9dbb74175d42d3349573bb00c7

SHA512
2226716e2c38141b81efffbeeb300007181afde565c0c8868cde1b47428abf6250dddc32108a9bf1306484aebcaeccf43d4061a41f2f90d14e5006bb0b377e6f

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
182KB

MD5
2bab8c917fdf6225eb2371b81808fdb0

SHA1
170c1f821ec1c6f2bf042ae04e1113f29caec09e

SHA256
8b2801a4c0df1e499f2abbf00c4d7c78b174559be6035af9e414c827b4a9cced

SHA512
580214bc4852566e3438a23d2b7548485ba5d4e6980b832233eb380e50168072803d462c40fb84455502d3ec2cf1f774a8db729e11442a083b523d66fc8dfb0c

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
182KB

MD5
67b800dde144ed834cebfb80ed4ce666

SHA1
022e2db82222203d0802118be152bea6ca0cd743

SHA256
c15a0f9533cce2cab3473996cd24bc8f7c3b800f106be85b62419bfb571df1f7

SHA512
6853878b6ddc0d230d485f0044a3e263c007c7195e9294e37edc90a77dac8e6f09febbbeb2ccfcbe1c3eabf03d002975b5ac1683cf013d78d77f78548158c956

Download Submit
\Program Files\System Restore.exe

Filesize
182KB

MD5
beb2442ac118a1f5f725e66d8a8db268

SHA1
43eb2ae3d511113579ca6396d245869e7bf48b54

SHA256
b6cce11063f4d5a1553e08934eece95872fdfc462efbf8cdd1c834a6d9f15340

SHA512
8baf15fc73893c68c7b466dc4de26cc3bd242e2e4f72a14cd16b8c7b43987501282e0823491f1be945f95768f9debcba41fd7e1eb84b305b239b41206a9fe438

Download Submit
\Users\Admin\AppData\Local\Temp\406315420\backup.exe

Filesize
182KB

MD5
727839bb3d39e0a4b7fb06ec2c172972

SHA1
0986571fb0a50ce664bd9cc0df7d9122c7d24760

SHA256
e20a1829682704fbab673c9cc118e011298bc185a064c79d2c285bb8515a8204

SHA512
fcd982a83771654b58b3dcf89e298e0400b5d17ec200115866e225fc0b0750c8c2b359492251d1acbb4622df59f3600afb4381b4662b48c0c49df955f7467e8a

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
182KB

MD5
50c21e17d958cbc6f43ca64f45e492b9

SHA1
02ae015ec04c0b136182eab8ac8246d39bdbb362

SHA256
b68b22bf40b8252c7ef01cdf5d14b6afb691ed2037945df92fd81d12a7693b39

SHA512
1b102356a07d93e24a0690e1f473e211f67080362859be67455943f089b31adac2e6a3dfa11814328e6b2465ae933576f3bf9d41faa24a2f11a3cc905d3a2891

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
182KB

MD5
41b5e8becf1afa54df0bc4c9fff7e86c

SHA1
fdeb863f9824dcf3e1c8750760193a6978fc1c73

SHA256
9a63a48b3007f267301a912d8cd0f8530cd888a2379860f3e2ae7fea0830e6ac

SHA512
2589643d03dafa180986c5af3c4400f2240598fefa7aaecf3833493b5452314177b5bb9bf07fe12dc68e39d836b1aa28821dc96441b6129ffc6aed38ea162999

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2792_1904683742\CRX_INSTALL\backup.exe

Filesize
182KB

MD5
f35f623e8534fc66f5aa9a3349f4d83f

SHA1
05c4d221d257c31d67023378774d663e27d698e6

SHA256
a37cd63b56f802dbcd110fdc3e09ac8e81b374b3a90bd2e979d47b4ceb2e9b85

SHA512
4f7e56f5407db26a9c21d36b5ddaed0a351168243b0447b5f9560fda29a6d3acd2b284ae41af003a176a6380b76d0cde9f1a325fb1e7270b20e15bb1a2f8b42d

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\CRX_INSTALL\update.exe

Filesize
182KB

MD5
531f3a3c7b8a989c4dd9499ed08847f4

SHA1
ee982b8f981e16a907b7ca9e8b8e400557367437

SHA256
9cbff09abd95ccf8cddd6a910b721017e8d80ce252a9a58c490bb5b06c242057

SHA512
1d38042bdde9ded4acc63c74513210a6bfcd79c670a07476630425d2c16124b769f99b60669ec9e18e13b990fada1443c7791ad008db599048d09995eda101b4

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2792_66564878\backup.exe

Filesize
182KB

MD5
14f9f5a8a47d55bbfeb7d4ed8e305bf1

SHA1
2ba921f287e83db4dc5bf7f14b269107c5cfbba2

SHA256
38dbc001bfdb1142ad1ea6ef63df98cf3ba37ba7342f54b7f471a44da715936d

SHA512
96693c3e4cf149eb8e35874bcf9c5f841133e1d795df7e16b0136219e367c476a559784795f20024fa87a7d7beff78b5034f7c953751713611ceb9392458f2c7

Download Submit
memory/608-323-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/692-294-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/704-237-0x00000000003A0000-0x00000000003C9000-memory.dmp

Filesize
164KB

Download
memory/704-316-0x00000000003A0000-0x00000000003C9000-memory.dmp

Filesize
164KB

Download
memory/704-315-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-269-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-282-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1028-327-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1028-336-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1028-359-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1028-363-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1028-364-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/1192-307-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1240-204-0x0000000001DC0000-0x0000000001DE9000-memory.dmp

Filesize
164KB

Download
memory/1240-181-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1240-211-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1240-202-0x0000000001DC0000-0x0000000001DE9000-memory.dmp

Filesize
164KB

Download
memory/1284-349-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1284-347-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1440-219-0x00000000024B0000-0x00000000024D9000-memory.dmp

Filesize
164KB

Download
memory/1440-267-0x00000000024B0000-0x00000000024D9000-memory.dmp

Filesize
164KB

Download
memory/1440-169-0x00000000024B0000-0x00000000024D9000-memory.dmp

Filesize
164KB

Download
memory/1440-234-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1632-182-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-318-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-256-0x0000000000310000-0x0000000000339000-memory.dmp

Filesize
164KB

Download
memory/1848-250-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2080-208-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-286-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2140-260-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2172-341-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2212-331-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2276-220-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-137-0x00000000003D0000-0x00000000003F9000-memory.dmp

Filesize
164KB

Download
memory/2340-241-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2340-191-0x00000000003D0000-0x00000000003F9000-memory.dmp

Filesize
164KB

Download
memory/2340-21-0x00000000003D0000-0x00000000003F9000-memory.dmp

Filesize
164KB

Download
memory/2340-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2340-317-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2340-299-0x00000000003D0000-0x00000000003F9000-memory.dmp

Filesize
164KB

Download
memory/2412-130-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2412-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2512-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2528-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-357-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-125-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2572-268-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-196-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2756-180-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/2756-179-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/2796-115-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2828-128-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/2856-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-225-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download
memory/2960-175-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-153-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download
memory/2960-224-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download
memory/2960-109-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads