b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f

Analysis

max time kernel
152s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe
Size

72KB
MD5

5da05da2cfdb6c0559864749dd5336e7
SHA1

a2d114347a359471d991adcdccb3c4a9a8a3f051
SHA256

b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f
SHA512

7dae5e37aedf34231e314cde90a7c862c7ed359b7747ecde3fa9423025240b519d678018b13c35ee565849e98115a5c67301d361bde08ade05c4c44c5e03770f
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2a:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrW

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
3140	backup.exe
4700	backup.exe
1676	backup.exe
204	data.exe
1568	backup.exe
3764	System Restore.exe
2132	backup.exe
3628	backup.exe
1104	backup.exe
572	backup.exe
852	backup.exe
4012	backup.exe
4276	backup.exe
1356	backup.exe
3108	backup.exe
3380	backup.exe
2332	update.exe
4404	backup.exe
3392	backup.exe
3068	backup.exe
4800	backup.exe
4300	backup.exe
4592	backup.exe
4312	backup.exe
888	backup.exe
60	backup.exe
3128	backup.exe
1472	backup.exe
4316	backup.exe
4232	backup.exe
3540	backup.exe
792	backup.exe
4628	backup.exe
3236	backup.exe
2724	backup.exe
4992	backup.exe
4952	backup.exe
3168	backup.exe
372	backup.exe
3160	backup.exe
952	backup.exe
4528	backup.exe
5008	data.exe
5072	backup.exe
3876	backup.exe
4364	backup.exe
3968	backup.exe
4140	backup.exe
4852	backup.exe
2804	backup.exe
4268	backup.exe
4148	backup.exe
2620	backup.exe
1820	backup.exe
4420	backup.exe
1888	backup.exe
4984	backup.exe
2688	backup.exe
1656	backup.exe
3200	backup.exe
4588	backup.exe
316	backup.exe
1680	backup.exe
1924	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	System Restore.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\en-US\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\update.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe
3140	backup.exe
4700	backup.exe
1676	backup.exe
204	data.exe
1568	backup.exe
3764	System Restore.exe
3628	backup.exe
2132	backup.exe
1104	backup.exe
572	backup.exe
852	backup.exe
4012	backup.exe
4276	backup.exe
1356	backup.exe
3108	backup.exe
3380	backup.exe
2332	update.exe
4404	backup.exe
3392	backup.exe
3068	backup.exe
4800	backup.exe
4300	backup.exe
4592	backup.exe
4312	backup.exe
888	backup.exe
3128	backup.exe
4316	backup.exe
60	backup.exe
1472	backup.exe
4232	backup.exe
3540	backup.exe
792	backup.exe
4628	backup.exe
3236	backup.exe
2724	backup.exe
4992	backup.exe
4952	backup.exe
3168	backup.exe
372	backup.exe
3160	backup.exe
5008	data.exe
952	backup.exe
4528	backup.exe
5072	backup.exe
3876	backup.exe
4364	backup.exe
4140	backup.exe
3968	backup.exe
4852	backup.exe
4148	backup.exe
2804	backup.exe
2620	backup.exe
4268	backup.exe
1820	backup.exe
4420	backup.exe
1888	backup.exe
4984	backup.exe
2688	backup.exe
1656	backup.exe
3200	backup.exe
4588	backup.exe
316	backup.exe
1680	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 3140	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	85
PID 1184 wrote to memory of 3140	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	85
PID 1184 wrote to memory of 3140	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	85
PID 1184 wrote to memory of 4700	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	86
PID 1184 wrote to memory of 4700	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	86
PID 1184 wrote to memory of 4700	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	86
PID 1184 wrote to memory of 1676	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	87
PID 1184 wrote to memory of 1676	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	87
PID 1184 wrote to memory of 1676	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	87
PID 1184 wrote to memory of 204	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	88
PID 1184 wrote to memory of 204	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	88
PID 1184 wrote to memory of 204	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	88
PID 1184 wrote to memory of 1568	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	89
PID 1184 wrote to memory of 1568	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	89
PID 1184 wrote to memory of 1568	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	89
PID 3140 wrote to memory of 3764	3140	backup.exe	90
PID 3140 wrote to memory of 3764	3140	backup.exe	90
PID 3140 wrote to memory of 3764	3140	backup.exe	90
PID 1184 wrote to memory of 3628	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	92
PID 1184 wrote to memory of 3628	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	92
PID 1184 wrote to memory of 3628	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	92
PID 3764 wrote to memory of 2132	3764	System Restore.exe	91
PID 3764 wrote to memory of 2132	3764	System Restore.exe	91
PID 3764 wrote to memory of 2132	3764	System Restore.exe	91
PID 3764 wrote to memory of 1104	3764	System Restore.exe	93
PID 3764 wrote to memory of 1104	3764	System Restore.exe	93
PID 3764 wrote to memory of 1104	3764	System Restore.exe	93
PID 1184 wrote to memory of 572	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	94
PID 1184 wrote to memory of 572	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	94
PID 1184 wrote to memory of 572	1184	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe	94
PID 3764 wrote to memory of 852	3764	System Restore.exe	95
PID 3764 wrote to memory of 852	3764	System Restore.exe	95
PID 3764 wrote to memory of 852	3764	System Restore.exe	95
PID 852 wrote to memory of 4012	852	backup.exe	96
PID 852 wrote to memory of 4012	852	backup.exe	96
PID 852 wrote to memory of 4012	852	backup.exe	96
PID 4012 wrote to memory of 4276	4012	backup.exe	97
PID 4012 wrote to memory of 4276	4012	backup.exe	97
PID 4012 wrote to memory of 4276	4012	backup.exe	97
PID 852 wrote to memory of 1356	852	backup.exe	98
PID 852 wrote to memory of 1356	852	backup.exe	98
PID 852 wrote to memory of 1356	852	backup.exe	98
PID 1356 wrote to memory of 3108	1356	backup.exe	99
PID 1356 wrote to memory of 3108	1356	backup.exe	99
PID 1356 wrote to memory of 3108	1356	backup.exe	99
PID 1356 wrote to memory of 3380	1356	backup.exe	100
PID 1356 wrote to memory of 3380	1356	backup.exe	100
PID 1356 wrote to memory of 3380	1356	backup.exe	100
PID 3380 wrote to memory of 2332	3380	backup.exe	101
PID 3380 wrote to memory of 2332	3380	backup.exe	101
PID 3380 wrote to memory of 2332	3380	backup.exe	101
PID 3380 wrote to memory of 4404	3380	backup.exe	102
PID 3380 wrote to memory of 4404	3380	backup.exe	102
PID 3380 wrote to memory of 4404	3380	backup.exe	102
PID 4404 wrote to memory of 3392	4404	backup.exe	103
PID 4404 wrote to memory of 3392	4404	backup.exe	103
PID 4404 wrote to memory of 3392	4404	backup.exe	103
PID 4404 wrote to memory of 3068	4404	backup.exe	104
PID 4404 wrote to memory of 3068	4404	backup.exe	104
PID 4404 wrote to memory of 3068	4404	backup.exe	104
PID 4404 wrote to memory of 4800	4404	backup.exe	105
PID 4404 wrote to memory of 4800	4404	backup.exe	105
PID 4404 wrote to memory of 4800	4404	backup.exe	105
PID 4404 wrote to memory of 4300	4404	backup.exe	106

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe
"C:\Users\Admin\AppData\Local\Temp\b5f598500f294bd979f1befe95dd96aa24b14c2a6ee529718ade8b3b84fd305f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1184
- C:\Users\Admin\AppData\Local\Temp\2423335464\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2423335464\backup.exe C:\Users\Admin\AppData\Local\Temp\2423335464\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2132
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1104
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4012
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4276
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3108
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4404
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3392
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4800
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4300
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4592
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4312
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4316
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4628
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3160
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3876
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2620
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4988
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        System policy modification
        
        PID:2908
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5104
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        
        PID:5004
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1544
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:1512
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:2828
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2032
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1192
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2480
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:2492
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:3632
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4604
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4544
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4092
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\data.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3860
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        System policy modification
        
        PID:2740
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1100
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\update.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:4528
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:1936
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4232
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3236
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4140
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4852
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:2736
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:3124
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4228
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4336
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3180
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:4828
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:4912
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:2240
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        System policy modification
        
        PID:1308
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4236
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2896
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Drops file in Program Files directory
        
        PID:4700
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        System policy modification
        
        PID:2932
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:60
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:792
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4992
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2688
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:3856
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4132
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2664
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4152
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1100
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:2380
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4288
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:944
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:424
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4600
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:4136
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3624
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:3044
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:224
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4028
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3928
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:924
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2740
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:4620
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5072
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3968
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4148
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3940
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2640
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4376
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        System policy modification
        
        PID:1264
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Disables RegEdit via registry modification
        
        PID:388
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:1464
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4388
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4472
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
      - C:\Program Files\Internet Explorer\en-US\update.exe
        
        "C:\Program Files\Internet Explorer\en-US\update.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3564
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3744
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2572
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4824
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4592
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:332
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:4636
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:4684
        
        C:\Program Files\Java\jdk1.8.0_66\bin\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\update.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3804
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Drops file in Program Files directory
        
        PID:4324
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:5032
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:944
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:5012
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:4176
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4228
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:4912
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        System policy modification
        
        PID:388
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\update.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4804
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        
        PID:2716
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3128
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3540
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:3440
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:4824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Drops file in Program Files directory
        
        PID:3860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:1880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:5052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:2724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:4448
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Drops file in Program Files directory
        
        PID:2684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:2596
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Disables RegEdit via registry modification
        
        PID:204
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:4708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:3948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:3504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Disables RegEdit via registry modification
        
        PID:2332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:3448
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:2276
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1092
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4540
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:4092
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:2352
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:4012
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\data.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:620
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:388
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1152
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Drops file in Program Files directory
        
        PID:1888
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Drops file in Program Files directory
        
        PID:4768
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3536
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5004
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:4244
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        Disables RegEdit via registry modification
        
        PID:3144
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1404
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:2724
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:4232
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4944
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:3508
      - C:\Program Files (x86)\Common Files\Microsoft Shared\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4276
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:3732
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1432
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:2564
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:2968
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        System policy modification
        
        PID:2348
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:856
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1004
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:5056
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1164
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:1672
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        
        PID:3972
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:3376
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1956
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:3444
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1836
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1880
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2056
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        System policy modification
        
        PID:680
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1556
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:396
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:1332
        
        C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
        8⤵
        
        PID:4388
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4744
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:3120
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4492
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:60
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:3452
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:4872
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:680
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3692
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3724
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1464
      - C:\Users\Admin\Music\data.exe
        
        C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1632
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3200
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        System policy modification
        
        PID:3040
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:2664
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:2908
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1644
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
      - C:\Users\Admin\Searches\System Restore.exe
        
        "C:\Users\Admin\Searches\System Restore.exe" C:\Users\Admin\Searches\
        6⤵
        System policy modification
        
        PID:4080
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4928
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:1680
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3856
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3460
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:396
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        System policy modification
        
        PID:4796
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:3968
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4040
    - - C:\Windows\appcompat\update.exe
        
        C:\Windows\appcompat\update.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1452
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        System policy modification
        
        PID:2804
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3088
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:2640
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        System policy modification
        
        PID:5108
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3388
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:1088
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:3812
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3880
      - C:\Windows\apppatch\en-US\update.exe
        
        C:\Windows\apppatch\en-US\update.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:4088
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\Low\data.exe
  C:\Users\Admin\AppData\Local\Temp\Low\data.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:204
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:572

C:\Windows\appcompat\appraiser\backup.exe
C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
1⤵
PID:2276
- C:\Windows\appcompat\appraiser\Telemetry\backup.exe
  C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
  2⤵
  - Disables RegEdit via registry modification
  - System policy modification
  PID:4288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
52ccfe3c3b458c29663c722350d564aa

SHA1
7318e4df7c43227fc2112d28143582535e1981f7

SHA256
ee9df63ac7917366e4853009543d8e6c5fe3cfcdc9e2bba934dec507e9336460

SHA512
4fe594e8a9c920b3f8692bba85f58fd83768061b2d318a0890ff83eb70648745eaa8830e2874640951c1adac265fdb723a6ee62aa0b568aad433055d50664355

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
52ccfe3c3b458c29663c722350d564aa

SHA1
7318e4df7c43227fc2112d28143582535e1981f7

SHA256
ee9df63ac7917366e4853009543d8e6c5fe3cfcdc9e2bba934dec507e9336460

SHA512
4fe594e8a9c920b3f8692bba85f58fd83768061b2d318a0890ff83eb70648745eaa8830e2874640951c1adac265fdb723a6ee62aa0b568aad433055d50664355

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
43e107a120dfd93ba5249da7190d07e4

SHA1
8b371762248908546eb3e4941e7a46f26b57e205

SHA256
9dc63a81f8087abdfb5c1ee330c2f16b739a185d72fce56f02107f3a5c42b193

SHA512
7c287581360736084e5aa19509cc201d25f109f69d7596a7cd04f09cbddb1b2c1682ac4aa9b5f2342e36a87cd19f924e5f68eac52fe74947ea091a896feb66d0

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
43e107a120dfd93ba5249da7190d07e4

SHA1
8b371762248908546eb3e4941e7a46f26b57e205

SHA256
9dc63a81f8087abdfb5c1ee330c2f16b739a185d72fce56f02107f3a5c42b193

SHA512
7c287581360736084e5aa19509cc201d25f109f69d7596a7cd04f09cbddb1b2c1682ac4aa9b5f2342e36a87cd19f924e5f68eac52fe74947ea091a896feb66d0

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
3cb1ce76890d6cf6feca877cf2aeaf54

SHA1
b78186d91b37f33d084ccf0a5eb56fc93541eef3

SHA256
821d9972cafb4e36738a9f2d5cb37449ea104e355c931709c9c647349d8fb354

SHA512
6dd6db97d4a880c345f42c795cbd9f7a77bb463eb7767756f5940aa9bcfd8f39829474cd53f10570496c201334ff9f5d31bb458bc3d812d00bab60116bdcc79c

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
3cb1ce76890d6cf6feca877cf2aeaf54

SHA1
b78186d91b37f33d084ccf0a5eb56fc93541eef3

SHA256
821d9972cafb4e36738a9f2d5cb37449ea104e355c931709c9c647349d8fb354

SHA512
6dd6db97d4a880c345f42c795cbd9f7a77bb463eb7767756f5940aa9bcfd8f39829474cd53f10570496c201334ff9f5d31bb458bc3d812d00bab60116bdcc79c

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e4a512b3a0ee91ec70b0f79b20f42b27

SHA1
c7f219a6d27cee5ed52c3e4f45d241f2c0783320

SHA256
b911effa71668cbb1d45d44eb0b9437150b42a91708691cfabfdb428dd724d7a

SHA512
d4a245b7498af1cc1b2bb71a6c5c4b8ed33f821afb31a2fa853d02349b3e5c52bc418bd5e0300c6a8b24b5a86a83e58779df8df2702a07f19a5567c99ffbdf58

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
e4a512b3a0ee91ec70b0f79b20f42b27

SHA1
c7f219a6d27cee5ed52c3e4f45d241f2c0783320

SHA256
b911effa71668cbb1d45d44eb0b9437150b42a91708691cfabfdb428dd724d7a

SHA512
d4a245b7498af1cc1b2bb71a6c5c4b8ed33f821afb31a2fa853d02349b3e5c52bc418bd5e0300c6a8b24b5a86a83e58779df8df2702a07f19a5567c99ffbdf58

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
23405a8a064aef018c62167948c6688a

SHA1
68e06f91741ec49139d5d243e31895f94a64364e

SHA256
e87af2207bee7128d93b9c083110c31981f0f326168be9132f5f064204ddbe41

SHA512
86526ed331abb74bcb3da6d0249d5b089fccb9ddd6f6ee9d01318d6eef0457c667b019c0855670b4239a0002b96208c3c8fe09212fb0837ea914c7b53c423575

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
23405a8a064aef018c62167948c6688a

SHA1
68e06f91741ec49139d5d243e31895f94a64364e

SHA256
e87af2207bee7128d93b9c083110c31981f0f326168be9132f5f064204ddbe41

SHA512
86526ed331abb74bcb3da6d0249d5b089fccb9ddd6f6ee9d01318d6eef0457c667b019c0855670b4239a0002b96208c3c8fe09212fb0837ea914c7b53c423575

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
e39d3465226f08e3afc6015d06fa643c

SHA1
6ed4757ab0830b2db59cfec2a8f21002f2025cd5

SHA256
d179453f49cc65c47f8b218aea74f8bedd24875ba103c7cc2f79a3bb46ea718a

SHA512
4f511a3432bae7c1508b1e1e40539b66296c36ae9d8d9f5aa47d0b786000a17a5de8247cb75f249409ebee3cad23d09293bc516111fa7fa29fe1897dfa2e2981

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
e39d3465226f08e3afc6015d06fa643c

SHA1
6ed4757ab0830b2db59cfec2a8f21002f2025cd5

SHA256
d179453f49cc65c47f8b218aea74f8bedd24875ba103c7cc2f79a3bb46ea718a

SHA512
4f511a3432bae7c1508b1e1e40539b66296c36ae9d8d9f5aa47d0b786000a17a5de8247cb75f249409ebee3cad23d09293bc516111fa7fa29fe1897dfa2e2981

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
ee3804f58aba66d82bbed5ca674e892f

SHA1
b320eda6fa728b0aa276bf0ae28679d746e13e34

SHA256
16c6b85e309c0b24291f9fec1e36875140723f241122208a44da26d271dd5c2d

SHA512
99daff5eb50a5ca2369bfcf19e9a114b5bf07539a39a4b694b7c1f27627d3bb122ed409662cf5e8bda27edae208d66e8e8e1bcb3abeb52e7d528b44ff14a7672

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
ee3804f58aba66d82bbed5ca674e892f

SHA1
b320eda6fa728b0aa276bf0ae28679d746e13e34

SHA256
16c6b85e309c0b24291f9fec1e36875140723f241122208a44da26d271dd5c2d

SHA512
99daff5eb50a5ca2369bfcf19e9a114b5bf07539a39a4b694b7c1f27627d3bb122ed409662cf5e8bda27edae208d66e8e8e1bcb3abeb52e7d528b44ff14a7672

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
f1e0643d13db007a64b7658d8e8ed977

SHA1
4221d9f5bbbc1faa40afbcf1240b215140184124

SHA256
705349f4eebcf420a52d1def3e6c55d7ba31b49fecc0c731426494d5793d7a3f

SHA512
04c85ea86a207c3f75cee5d8c713e894d49961b6f15fa02f235914510acc1f373482e44ec3688d2653f3466b30bb8d436abd34e9a97b675bd87ac37597e3929c

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
f1e0643d13db007a64b7658d8e8ed977

SHA1
4221d9f5bbbc1faa40afbcf1240b215140184124

SHA256
705349f4eebcf420a52d1def3e6c55d7ba31b49fecc0c731426494d5793d7a3f

SHA512
04c85ea86a207c3f75cee5d8c713e894d49961b6f15fa02f235914510acc1f373482e44ec3688d2653f3466b30bb8d436abd34e9a97b675bd87ac37597e3929c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c7cab34e2bcca4e6a6bbb356f93b98de

SHA1
4559b42dbd5992f8239115ec482efeaefa3fa9ee

SHA256
079e6a19128816e0e205383e47e37ba844a93eef71501e5679548c04388565f2

SHA512
56634dc12e35cd5d973f48c0bc9940b95e4ddd54885f2f95ff0fbcecf2ce11fb27c1c6932656373a32f3d380f558634bf3f97c46815ee4424e9f0e313d66775c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c7cab34e2bcca4e6a6bbb356f93b98de

SHA1
4559b42dbd5992f8239115ec482efeaefa3fa9ee

SHA256
079e6a19128816e0e205383e47e37ba844a93eef71501e5679548c04388565f2

SHA512
56634dc12e35cd5d973f48c0bc9940b95e4ddd54885f2f95ff0fbcecf2ce11fb27c1c6932656373a32f3d380f558634bf3f97c46815ee4424e9f0e313d66775c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe

Filesize
72KB

MD5
39a3c4f5c2213c5b88fb07c6fb169b79

SHA1
63272b2cda0f3a9e0fec3a9beb7bca6381359863

SHA256
cd2634fe1f7130543fcb1882a12b6b95933d982ea4a7822d1dcf0ed6630d08e3

SHA512
49efe993fcbe1aece5236e0ce43ca4b3c513d27db096075f5e558ce11c1e1c862ca8fb344971036a1ec8d5ce1d0fd01668079024f0f901edd7072e3e43a5c0a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe

Filesize
72KB

MD5
39a3c4f5c2213c5b88fb07c6fb169b79

SHA1
63272b2cda0f3a9e0fec3a9beb7bca6381359863

SHA256
cd2634fe1f7130543fcb1882a12b6b95933d982ea4a7822d1dcf0ed6630d08e3

SHA512
49efe993fcbe1aece5236e0ce43ca4b3c513d27db096075f5e558ce11c1e1c862ca8fb344971036a1ec8d5ce1d0fd01668079024f0f901edd7072e3e43a5c0a5

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
4787e82bbc5f9f4d14a29527d3d21482

SHA1
a7f3fbb72929aaab2faeeff0d0f6622c5fa79448

SHA256
0d8471bac74ae82ae98b706078532099c92afdfc85384d66c2a283b8a014c2ac

SHA512
327d6ce3a7079861eae158836f1cb346710b7d7e05ff7c925c774be7291bdc19d4ca1ae484b8e16085fb6a57aa1f6b6892a824923dab290ed7d7d599dcd88088

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
4787e82bbc5f9f4d14a29527d3d21482

SHA1
a7f3fbb72929aaab2faeeff0d0f6622c5fa79448

SHA256
0d8471bac74ae82ae98b706078532099c92afdfc85384d66c2a283b8a014c2ac

SHA512
327d6ce3a7079861eae158836f1cb346710b7d7e05ff7c925c774be7291bdc19d4ca1ae484b8e16085fb6a57aa1f6b6892a824923dab290ed7d7d599dcd88088

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
e39d3465226f08e3afc6015d06fa643c

SHA1
6ed4757ab0830b2db59cfec2a8f21002f2025cd5

SHA256
d179453f49cc65c47f8b218aea74f8bedd24875ba103c7cc2f79a3bb46ea718a

SHA512
4f511a3432bae7c1508b1e1e40539b66296c36ae9d8d9f5aa47d0b786000a17a5de8247cb75f249409ebee3cad23d09293bc516111fa7fa29fe1897dfa2e2981

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
e39d3465226f08e3afc6015d06fa643c

SHA1
6ed4757ab0830b2db59cfec2a8f21002f2025cd5

SHA256
d179453f49cc65c47f8b218aea74f8bedd24875ba103c7cc2f79a3bb46ea718a

SHA512
4f511a3432bae7c1508b1e1e40539b66296c36ae9d8d9f5aa47d0b786000a17a5de8247cb75f249409ebee3cad23d09293bc516111fa7fa29fe1897dfa2e2981

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
8af41965f733c119f8f412e0b9689efd

SHA1
cb29d105ad6822c372fd11c1b36c914d7aab6fc8

SHA256
9241cb3f873bc8232b609a7fcab0d0313e982aa90e48a9442c2bd30a1e067b2a

SHA512
e31cb52ff0db30423f46b9ce63bde8dec7af6359a7deb6f2b01a805cfd996a47e53cbf29e9a459edcff4ec682f8c1ef201e5fa6a48c55ec1f1bd166aa5f2d716

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
8af41965f733c119f8f412e0b9689efd

SHA1
cb29d105ad6822c372fd11c1b36c914d7aab6fc8

SHA256
9241cb3f873bc8232b609a7fcab0d0313e982aa90e48a9442c2bd30a1e067b2a

SHA512
e31cb52ff0db30423f46b9ce63bde8dec7af6359a7deb6f2b01a805cfd996a47e53cbf29e9a459edcff4ec682f8c1ef201e5fa6a48c55ec1f1bd166aa5f2d716

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
1ae936e3e3c66ac9d2f15639a0c2c25d

SHA1
39505c27f328bdf00733323e554c35e12a6d9938

SHA256
b19c471eaa5ca7a6adcfb1162a28ad6de69b52771e027989c967483327a3baa7

SHA512
4c2b4b63c5ff74ab748c33799949a8f2ec1d646f59708503055088e50a689f63d5f5f4b2c741d5a86fd56f00e3aabbcfc551227b070285f6e1a503b3b50e68d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
60cb035a6138bf59fe4aa36d683d7d04

SHA1
27cc7e56d9cefb662c4428aba3b1bf8db0e0c069

SHA256
b8737ed3416d34de3fd78c9cfcd581e89bf61dc8eafcc33b48804edca29ddc9a

SHA512
92ac1426c993ca2a7d8898e6bb37ab2b8f0389faa90e7b05b83129f11556897af1b92d4d8a46e413ab2d24c855176b783fc237d04032e68308036e590f6e4810

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
60cb035a6138bf59fe4aa36d683d7d04

SHA1
27cc7e56d9cefb662c4428aba3b1bf8db0e0c069

SHA256
b8737ed3416d34de3fd78c9cfcd581e89bf61dc8eafcc33b48804edca29ddc9a

SHA512
92ac1426c993ca2a7d8898e6bb37ab2b8f0389faa90e7b05b83129f11556897af1b92d4d8a46e413ab2d24c855176b783fc237d04032e68308036e590f6e4810

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
60cb035a6138bf59fe4aa36d683d7d04

SHA1
27cc7e56d9cefb662c4428aba3b1bf8db0e0c069

SHA256
b8737ed3416d34de3fd78c9cfcd581e89bf61dc8eafcc33b48804edca29ddc9a

SHA512
92ac1426c993ca2a7d8898e6bb37ab2b8f0389faa90e7b05b83129f11556897af1b92d4d8a46e413ab2d24c855176b783fc237d04032e68308036e590f6e4810

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
60cb035a6138bf59fe4aa36d683d7d04

SHA1
27cc7e56d9cefb662c4428aba3b1bf8db0e0c069

SHA256
b8737ed3416d34de3fd78c9cfcd581e89bf61dc8eafcc33b48804edca29ddc9a

SHA512
92ac1426c993ca2a7d8898e6bb37ab2b8f0389faa90e7b05b83129f11556897af1b92d4d8a46e413ab2d24c855176b783fc237d04032e68308036e590f6e4810

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
60cb035a6138bf59fe4aa36d683d7d04

SHA1
27cc7e56d9cefb662c4428aba3b1bf8db0e0c069

SHA256
b8737ed3416d34de3fd78c9cfcd581e89bf61dc8eafcc33b48804edca29ddc9a

SHA512
92ac1426c993ca2a7d8898e6bb37ab2b8f0389faa90e7b05b83129f11556897af1b92d4d8a46e413ab2d24c855176b783fc237d04032e68308036e590f6e4810

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
60cb035a6138bf59fe4aa36d683d7d04

SHA1
27cc7e56d9cefb662c4428aba3b1bf8db0e0c069

SHA256
b8737ed3416d34de3fd78c9cfcd581e89bf61dc8eafcc33b48804edca29ddc9a

SHA512
92ac1426c993ca2a7d8898e6bb37ab2b8f0389faa90e7b05b83129f11556897af1b92d4d8a46e413ab2d24c855176b783fc237d04032e68308036e590f6e4810

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
6ab7ef89e9f1e5b6651e92c44427a502

SHA1
2384c592e9109351332395c7037ca321184f6569

SHA256
d5d3befb2225a08cb7e10a599c50f9949f272da583ef28749dd2668e927ae2bb

SHA512
142f0b12a7daf567a906755d7208669648cca9f62d8c0469ada165060db20a260c6143faaf845e98ff1653ccdbb01e7f88c554e442bab1fa7453e1dd69aa5706

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
6ab7ef89e9f1e5b6651e92c44427a502

SHA1
2384c592e9109351332395c7037ca321184f6569

SHA256
d5d3befb2225a08cb7e10a599c50f9949f272da583ef28749dd2668e927ae2bb

SHA512
142f0b12a7daf567a906755d7208669648cca9f62d8c0469ada165060db20a260c6143faaf845e98ff1653ccdbb01e7f88c554e442bab1fa7453e1dd69aa5706

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
c9402d9b99b2da6d977010c9fe940dc7

SHA1
2eed820be05ef93e9ceb106f71dfee0ac6b5e664

SHA256
7162669e5ef0fc0dd4fc176e4b85692cd226f764d38daf46468bf00961962dfb

SHA512
29b4146563cb5f436e5428df7171def409085b89e5bb12a642c3470f4b873b22db0fb0d28b7c67081cca7518e018f1a480a4dfd3425c728dd2aed8c1b76f0b2c

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
c9402d9b99b2da6d977010c9fe940dc7

SHA1
2eed820be05ef93e9ceb106f71dfee0ac6b5e664

SHA256
7162669e5ef0fc0dd4fc176e4b85692cd226f764d38daf46468bf00961962dfb

SHA512
29b4146563cb5f436e5428df7171def409085b89e5bb12a642c3470f4b873b22db0fb0d28b7c67081cca7518e018f1a480a4dfd3425c728dd2aed8c1b76f0b2c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
52ccfe3c3b458c29663c722350d564aa

SHA1
7318e4df7c43227fc2112d28143582535e1981f7

SHA256
ee9df63ac7917366e4853009543d8e6c5fe3cfcdc9e2bba934dec507e9336460

SHA512
4fe594e8a9c920b3f8692bba85f58fd83768061b2d318a0890ff83eb70648745eaa8830e2874640951c1adac265fdb723a6ee62aa0b568aad433055d50664355

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
52ccfe3c3b458c29663c722350d564aa

SHA1
7318e4df7c43227fc2112d28143582535e1981f7

SHA256
ee9df63ac7917366e4853009543d8e6c5fe3cfcdc9e2bba934dec507e9336460

SHA512
4fe594e8a9c920b3f8692bba85f58fd83768061b2d318a0890ff83eb70648745eaa8830e2874640951c1adac265fdb723a6ee62aa0b568aad433055d50664355

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
04c8be7b011683518bb32789039ae9ba

SHA1
beaeaaeed251b146774846c694260c5b3dd38ed1

SHA256
3ca4403bf4df9e6441f800b61be697073d4b36aa54350fa455546575e78f05a4

SHA512
c18cff0c92aee86c0fb306110591dbc46699e38508488b0df9e46aa2c785ffb0e653fda56b0184474e8a28403720888264a59c1d6df06eb08254bb8754836085

Download Submit
C:\System Restore.exe

Filesize
72KB

MD5
04c8be7b011683518bb32789039ae9ba

SHA1
beaeaaeed251b146774846c694260c5b3dd38ed1

SHA256
3ca4403bf4df9e6441f800b61be697073d4b36aa54350fa455546575e78f05a4

SHA512
c18cff0c92aee86c0fb306110591dbc46699e38508488b0df9e46aa2c785ffb0e653fda56b0184474e8a28403720888264a59c1d6df06eb08254bb8754836085

Download Submit
C:\Users\Admin\AppData\Local\Temp\2423335464\backup.exe

Filesize
72KB

MD5
c860b1065ae423ec6c3a31f6ced5d25c

SHA1
89561e92600d23c705e53da8d64fe5dced84efa0

SHA256
a8c15e803323166f83552a099f575949249a66e9638819b1759ce95a25768ccf

SHA512
214e88acd6d590832b89c4836cb889b23e2271b8ed8bac4e64d2a944c43a8b3d2e65948a615cff71be16bbb3501a6c65c8c1973ba1071cd1102a9b4630b91b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\2423335464\backup.exe

Filesize
72KB

MD5
c860b1065ae423ec6c3a31f6ced5d25c

SHA1
89561e92600d23c705e53da8d64fe5dced84efa0

SHA256
a8c15e803323166f83552a099f575949249a66e9638819b1759ce95a25768ccf

SHA512
214e88acd6d590832b89c4836cb889b23e2271b8ed8bac4e64d2a944c43a8b3d2e65948a615cff71be16bbb3501a6c65c8c1973ba1071cd1102a9b4630b91b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
72KB

MD5
d8e36174fbd95e66d5306bd34b338ff9

SHA1
0a056377e6923d9032389fc4ac1059f0aed83920

SHA256
2ed3a6e758740e40ebfbb3a0a483ec30a90e28f45baa4f4c99761790edbded41

SHA512
cac4e212539aff77ac212608600c995698b973080b01628921b6144f0b8eb9b006ca886c8b049e419c05f8aad715234d95cf4e0bfe30cfce50a342ab47b6a194

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
72KB

MD5
d8e36174fbd95e66d5306bd34b338ff9

SHA1
0a056377e6923d9032389fc4ac1059f0aed83920

SHA256
2ed3a6e758740e40ebfbb3a0a483ec30a90e28f45baa4f4c99761790edbded41

SHA512
cac4e212539aff77ac212608600c995698b973080b01628921b6144f0b8eb9b006ca886c8b049e419c05f8aad715234d95cf4e0bfe30cfce50a342ab47b6a194

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d64fcf702e3ec923e1bc12a8e76bf6c1

SHA1
78e029120e59968ed3505963afd5cb5f4d34827b

SHA256
3bb6f691153a23076e84177b47be77b78ac48b643ac270b87f0ef114525c456f

SHA512
7503b7cf8d6318dd09eb542febf09bd358bf4abab9c841fbbc5c1bc6c8ddbe8490e069e6a635419bb21b1e3f052c7c54dc697737a6dde3611e47b522fb745afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d64fcf702e3ec923e1bc12a8e76bf6c1

SHA1
78e029120e59968ed3505963afd5cb5f4d34827b

SHA256
3bb6f691153a23076e84177b47be77b78ac48b643ac270b87f0ef114525c456f

SHA512
7503b7cf8d6318dd09eb542febf09bd358bf4abab9c841fbbc5c1bc6c8ddbe8490e069e6a635419bb21b1e3f052c7c54dc697737a6dde3611e47b522fb745afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
dc9e1bf1be9d5c489b585426d4c52ff4

SHA1
0ecebcbad5a0d59c99c1f389fac63644ebb73d4c

SHA256
747a11d275dd8248d810eac8dc9e16ba3db06897cf7e571690d7a2d0c0911c33

SHA512
eea9bffda10129a7aac9056112ae7d5b83d111c6c5fd5586d5e461375f54e6c580b05e2f48215618459cd49720bee16f904ad69fc4b65f69ab0c0fa1adb3bbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
dc9e1bf1be9d5c489b585426d4c52ff4

SHA1
0ecebcbad5a0d59c99c1f389fac63644ebb73d4c

SHA256
747a11d275dd8248d810eac8dc9e16ba3db06897cf7e571690d7a2d0c0911c33

SHA512
eea9bffda10129a7aac9056112ae7d5b83d111c6c5fd5586d5e461375f54e6c580b05e2f48215618459cd49720bee16f904ad69fc4b65f69ab0c0fa1adb3bbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
c860b1065ae423ec6c3a31f6ced5d25c

SHA1
89561e92600d23c705e53da8d64fe5dced84efa0

SHA256
a8c15e803323166f83552a099f575949249a66e9638819b1759ce95a25768ccf

SHA512
214e88acd6d590832b89c4836cb889b23e2271b8ed8bac4e64d2a944c43a8b3d2e65948a615cff71be16bbb3501a6c65c8c1973ba1071cd1102a9b4630b91b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
c860b1065ae423ec6c3a31f6ced5d25c

SHA1
89561e92600d23c705e53da8d64fe5dced84efa0

SHA256
a8c15e803323166f83552a099f575949249a66e9638819b1759ce95a25768ccf

SHA512
214e88acd6d590832b89c4836cb889b23e2271b8ed8bac4e64d2a944c43a8b3d2e65948a615cff71be16bbb3501a6c65c8c1973ba1071cd1102a9b4630b91b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
c860b1065ae423ec6c3a31f6ced5d25c

SHA1
89561e92600d23c705e53da8d64fe5dced84efa0

SHA256
a8c15e803323166f83552a099f575949249a66e9638819b1759ce95a25768ccf

SHA512
214e88acd6d590832b89c4836cb889b23e2271b8ed8bac4e64d2a944c43a8b3d2e65948a615cff71be16bbb3501a6c65c8c1973ba1071cd1102a9b4630b91b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
c860b1065ae423ec6c3a31f6ced5d25c

SHA1
89561e92600d23c705e53da8d64fe5dced84efa0

SHA256
a8c15e803323166f83552a099f575949249a66e9638819b1759ce95a25768ccf

SHA512
214e88acd6d590832b89c4836cb889b23e2271b8ed8bac4e64d2a944c43a8b3d2e65948a615cff71be16bbb3501a6c65c8c1973ba1071cd1102a9b4630b91b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
dc9e1bf1be9d5c489b585426d4c52ff4

SHA1
0ecebcbad5a0d59c99c1f389fac63644ebb73d4c

SHA256
747a11d275dd8248d810eac8dc9e16ba3db06897cf7e571690d7a2d0c0911c33

SHA512
eea9bffda10129a7aac9056112ae7d5b83d111c6c5fd5586d5e461375f54e6c580b05e2f48215618459cd49720bee16f904ad69fc4b65f69ab0c0fa1adb3bbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
dc9e1bf1be9d5c489b585426d4c52ff4

SHA1
0ecebcbad5a0d59c99c1f389fac63644ebb73d4c

SHA256
747a11d275dd8248d810eac8dc9e16ba3db06897cf7e571690d7a2d0c0911c33

SHA512
eea9bffda10129a7aac9056112ae7d5b83d111c6c5fd5586d5e461375f54e6c580b05e2f48215618459cd49720bee16f904ad69fc4b65f69ab0c0fa1adb3bbd0

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
52ccfe3c3b458c29663c722350d564aa

SHA1
7318e4df7c43227fc2112d28143582535e1981f7

SHA256
ee9df63ac7917366e4853009543d8e6c5fe3cfcdc9e2bba934dec507e9336460

SHA512
4fe594e8a9c920b3f8692bba85f58fd83768061b2d318a0890ff83eb70648745eaa8830e2874640951c1adac265fdb723a6ee62aa0b568aad433055d50664355

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
52ccfe3c3b458c29663c722350d564aa

SHA1
7318e4df7c43227fc2112d28143582535e1981f7

SHA256
ee9df63ac7917366e4853009543d8e6c5fe3cfcdc9e2bba934dec507e9336460

SHA512
4fe594e8a9c920b3f8692bba85f58fd83768061b2d318a0890ff83eb70648745eaa8830e2874640951c1adac265fdb723a6ee62aa0b568aad433055d50664355

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads