52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c

Analysis

max time kernel
228s
max time network
267s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe
Size

72KB
MD5

939e8636e167e07623e0cfd085385e19
SHA1

00be15f3e585a6105ccdcf537fb0aaef7c304578
SHA256

52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c
SHA512

ee4c45beedebbcf147afb7c56c66874057d15f018eb2a977f8b2450f253e02d2bc612a8e45ba9a4afe7afb50e3c16116efd4ab8e8bc3007e7d6bb2d9348f1554
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr9U:teThavEjDWguK9U

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2172	backup.exe
4700	backup.exe
1752	backup.exe
2912	backup.exe
1544	backup.exe
3368	backup.exe
212	backup.exe
1536	backup.exe
2248	backup.exe
1280	backup.exe
3444	backup.exe
3360	backup.exe
4804	backup.exe
1004	backup.exe
4232	backup.exe
4680	backup.exe
3460	backup.exe
996	backup.exe
4628	update.exe
1296	backup.exe
4508	backup.exe
1816	backup.exe
676	data.exe
3608	backup.exe
4052	backup.exe
1300	backup.exe
428	backup.exe
2980	backup.exe
2784	backup.exe
4664	backup.exe
4772	backup.exe
4732	backup.exe
456	System Restore.exe
4840	backup.exe
2128	backup.exe
4536	backup.exe
1916	backup.exe
4660	backup.exe
4060	backup.exe
972	backup.exe
3724	backup.exe
688	backup.exe
2308	backup.exe
4604	backup.exe
1052	backup.exe
4596	backup.exe
2336	backup.exe
3496	backup.exe
1924	backup.exe
1336	backup.exe
2844	backup.exe
1368	backup.exe
1268	backup.exe
2808	System Restore.exe
1508	update.exe
1540	backup.exe
212	backup.exe
3712	data.exe
1020	backup.exe
3020	backup.exe
4880	backup.exe
872	backup.exe
2032	backup.exe
1356	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe
2172	backup.exe
4700	backup.exe
1752	backup.exe
2912	backup.exe
1544	backup.exe
3368	backup.exe
212	backup.exe
1536	backup.exe
2248	backup.exe
1280	backup.exe
3444	backup.exe
3360	backup.exe
4804	backup.exe
1004	backup.exe
4232	backup.exe
4680	backup.exe
3460	backup.exe
996	backup.exe
4628	update.exe
1296	backup.exe
4508	backup.exe
1816	backup.exe
676	data.exe
3608	backup.exe
4052	backup.exe
1300	backup.exe
428	backup.exe
2980	backup.exe
2784	backup.exe
4772	backup.exe
4664	backup.exe
4732	backup.exe
456	System Restore.exe
4840	backup.exe
2128	backup.exe
1916	backup.exe
4536	backup.exe
4660	backup.exe
4060	backup.exe
972	backup.exe
3724	backup.exe
688	backup.exe
2308	backup.exe
4604	backup.exe
1052	backup.exe
4596	backup.exe
2336	backup.exe
3496	backup.exe
1924	backup.exe
1336	backup.exe
2844	backup.exe
1368	backup.exe
1268	backup.exe
2808	System Restore.exe
1508	update.exe
1540	backup.exe
212	backup.exe
3712	data.exe
3020	backup.exe
1020	backup.exe
872	backup.exe
4880	backup.exe
3648	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2172	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	82
PID 2100 wrote to memory of 2172	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	82
PID 2100 wrote to memory of 2172	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	82
PID 2100 wrote to memory of 4700	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	83
PID 2100 wrote to memory of 4700	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	83
PID 2100 wrote to memory of 4700	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	83
PID 2100 wrote to memory of 1752	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	84
PID 2100 wrote to memory of 1752	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	84
PID 2100 wrote to memory of 1752	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	84
PID 2100 wrote to memory of 2912	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	85
PID 2100 wrote to memory of 2912	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	85
PID 2100 wrote to memory of 2912	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	85
PID 2100 wrote to memory of 1544	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	86
PID 2100 wrote to memory of 1544	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	86
PID 2100 wrote to memory of 1544	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	86
PID 2172 wrote to memory of 3368	2172	backup.exe	87
PID 2172 wrote to memory of 3368	2172	backup.exe	87
PID 2172 wrote to memory of 3368	2172	backup.exe	87
PID 2100 wrote to memory of 212	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	88
PID 2100 wrote to memory of 212	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	88
PID 2100 wrote to memory of 212	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	88
PID 3368 wrote to memory of 1536	3368	backup.exe	89
PID 3368 wrote to memory of 1536	3368	backup.exe	89
PID 3368 wrote to memory of 1536	3368	backup.exe	89
PID 2100 wrote to memory of 2248	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	90
PID 2100 wrote to memory of 2248	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	90
PID 2100 wrote to memory of 2248	2100	52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe	90
PID 3368 wrote to memory of 1280	3368	backup.exe	91
PID 3368 wrote to memory of 1280	3368	backup.exe	91
PID 3368 wrote to memory of 1280	3368	backup.exe	91
PID 3368 wrote to memory of 3444	3368	backup.exe	92
PID 3368 wrote to memory of 3444	3368	backup.exe	92
PID 3368 wrote to memory of 3444	3368	backup.exe	92
PID 3444 wrote to memory of 3360	3444	backup.exe	93
PID 3444 wrote to memory of 3360	3444	backup.exe	93
PID 3444 wrote to memory of 3360	3444	backup.exe	93
PID 3360 wrote to memory of 4804	3360	backup.exe	94
PID 3360 wrote to memory of 4804	3360	backup.exe	94
PID 3360 wrote to memory of 4804	3360	backup.exe	94
PID 3444 wrote to memory of 1004	3444	backup.exe	95
PID 3444 wrote to memory of 1004	3444	backup.exe	95
PID 3444 wrote to memory of 1004	3444	backup.exe	95
PID 1004 wrote to memory of 4232	1004	backup.exe	96
PID 1004 wrote to memory of 4232	1004	backup.exe	96
PID 1004 wrote to memory of 4232	1004	backup.exe	96
PID 1004 wrote to memory of 4680	1004	backup.exe	97
PID 1004 wrote to memory of 4680	1004	backup.exe	97
PID 1004 wrote to memory of 4680	1004	backup.exe	97
PID 4680 wrote to memory of 3460	4680	backup.exe	98
PID 4680 wrote to memory of 3460	4680	backup.exe	98
PID 4680 wrote to memory of 3460	4680	backup.exe	98
PID 4680 wrote to memory of 996	4680	backup.exe	99
PID 4680 wrote to memory of 996	4680	backup.exe	99
PID 4680 wrote to memory of 996	4680	backup.exe	99
PID 996 wrote to memory of 4628	996	backup.exe	100
PID 996 wrote to memory of 4628	996	backup.exe	100
PID 996 wrote to memory of 4628	996	backup.exe	100
PID 996 wrote to memory of 1296	996	backup.exe	101
PID 996 wrote to memory of 1296	996	backup.exe	101
PID 996 wrote to memory of 1296	996	backup.exe	101
PID 996 wrote to memory of 4508	996	backup.exe	102
PID 996 wrote to memory of 4508	996	backup.exe	102
PID 996 wrote to memory of 4508	996	backup.exe	102
PID 996 wrote to memory of 1816	996	backup.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe
"C:\Users\Admin\AppData\Local\Temp\52d85b577ef7e24651f292d40879e953493130256bbfa90a6942a1b49574821c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\2196046437\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2196046437\backup.exe C:\Users\Admin\AppData\Local\Temp\2196046437\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2172
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1536
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1280
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3444
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3360
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4804
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1004
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4232
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4680
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3460
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:996
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4628
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1296
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4508
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1816
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4052
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1300
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:428
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4772
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1336
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4236
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3164
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        System policy modification
        
        PID:4420
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1580
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4060
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4604
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4040
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2204
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:4148
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        System policy modification
        
        PID:4192
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:432
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4664
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2308
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1356
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1144
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2528
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:4884
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:632
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2784
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4840
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4596
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2844
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3712
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4500
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4648
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2032
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2060
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:4448
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:628
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:4584
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:3172
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4224
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2980
    - - C:\Program Files (x86)\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:456
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        System policy modification
        
        PID:712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        System policy modification
        
        PID:2496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        System policy modification
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:852
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1316
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4948
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:3644
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious use of SetWindowsHookEx
      PID:3648
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3136
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5024
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:4248
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3328
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:212
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2248

C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
1⤵
PID:2120

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
602e7eb09c3f9b4a868ed9c6af1a9e78

SHA1
f3d1d8c12390fc9e8c51902c813829daf8517920

SHA256
948a4d8d8877ea4bfdae6086639db0c3cab1bd3fec7d38caefcd3a58eb506257

SHA512
c341c839ef2b46a7a4f6353bd684c9ac265875693afb554bf15ff3567e3c0fa6fde20ea612dca5555997ea5dd7bdbd0295bc7b6f26e52e7b8b0a06c1c22bf064

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
602e7eb09c3f9b4a868ed9c6af1a9e78

SHA1
f3d1d8c12390fc9e8c51902c813829daf8517920

SHA256
948a4d8d8877ea4bfdae6086639db0c3cab1bd3fec7d38caefcd3a58eb506257

SHA512
c341c839ef2b46a7a4f6353bd684c9ac265875693afb554bf15ff3567e3c0fa6fde20ea612dca5555997ea5dd7bdbd0295bc7b6f26e52e7b8b0a06c1c22bf064

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
371df1a7cfd5f194d470a5e06467a87b

SHA1
a6f320c15be473c03e50e44aaecf31c217a4f438

SHA256
70ee7f2022e6a4617ec2cc274a9a40fd1efeb6332c70b18d9c7f994a601ae7f1

SHA512
0d702354f48eb3041e814de031f1aa6e445880752737c379366f40327f7afeb39c704031ee53ead8f358cd977a2856b2fe3834dba7a83c91d7f67fbde796f960

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
371df1a7cfd5f194d470a5e06467a87b

SHA1
a6f320c15be473c03e50e44aaecf31c217a4f438

SHA256
70ee7f2022e6a4617ec2cc274a9a40fd1efeb6332c70b18d9c7f994a601ae7f1

SHA512
0d702354f48eb3041e814de031f1aa6e445880752737c379366f40327f7afeb39c704031ee53ead8f358cd977a2856b2fe3834dba7a83c91d7f67fbde796f960

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
8ef5b27afc4e61033cc779c178bd48a5

SHA1
a81b785c350ef64af851f072263d6e38d30fc98a

SHA256
5fc030735078f28d170bd1705b4b06c997dbe33a9b8f913c6bc4395596efdd78

SHA512
1753a91f0b6fa877158ff24ec7182f2c89a6bdea622d6a5a3fff4243ca1c3f4b32fef862bca06eee524dccbf65d860723c0aeb0662104a4ea56e30b9c4581716

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
8ef5b27afc4e61033cc779c178bd48a5

SHA1
a81b785c350ef64af851f072263d6e38d30fc98a

SHA256
5fc030735078f28d170bd1705b4b06c997dbe33a9b8f913c6bc4395596efdd78

SHA512
1753a91f0b6fa877158ff24ec7182f2c89a6bdea622d6a5a3fff4243ca1c3f4b32fef862bca06eee524dccbf65d860723c0aeb0662104a4ea56e30b9c4581716

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0bec4e31cfd6e6e6ec71407d715df3c7

SHA1
5e2b5834062927e9b658b585bf1b4b3a6301a7c6

SHA256
ae30a44fa9277a885f506761b52ddf97dfcee3ff11af40836a8c5fefa568a694

SHA512
f1111945e98bc9109ff9b8544c83ac625279daed0914f4f735cf04b12373185251b3bb3177bdc5fa35da18e22d373882bc99b507cba24f7bf4b767188fec9908

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0bec4e31cfd6e6e6ec71407d715df3c7

SHA1
5e2b5834062927e9b658b585bf1b4b3a6301a7c6

SHA256
ae30a44fa9277a885f506761b52ddf97dfcee3ff11af40836a8c5fefa568a694

SHA512
f1111945e98bc9109ff9b8544c83ac625279daed0914f4f735cf04b12373185251b3bb3177bdc5fa35da18e22d373882bc99b507cba24f7bf4b767188fec9908

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
296c1df847ae4d6b1974bc192c687bef

SHA1
abc43b18edd96aa75e04648cfc79d2c2ac559d46

SHA256
f3f0f36d4c1f72448ab546a56f07b9aa4e74760144503d8587e9d7d00cf4713e

SHA512
0f52ac8c4cb9208443a53a092e7fb54f1c4fb5964811c84d78556604ffe51983cc3dea413397091cb2cbf7997de0273559eeec4508a2df598b016bd4a94199df

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
296c1df847ae4d6b1974bc192c687bef

SHA1
abc43b18edd96aa75e04648cfc79d2c2ac559d46

SHA256
f3f0f36d4c1f72448ab546a56f07b9aa4e74760144503d8587e9d7d00cf4713e

SHA512
0f52ac8c4cb9208443a53a092e7fb54f1c4fb5964811c84d78556604ffe51983cc3dea413397091cb2cbf7997de0273559eeec4508a2df598b016bd4a94199df

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
ebc1e12d53e5329a848d00e8b1532ed3

SHA1
ba8bbe59c7fd15551d8af19740c52f3b2ad7cee1

SHA256
d38d0e232a5ed37f7c71d57df97794de98d46beaa5528ff6647670aa69e857c3

SHA512
ab68af2384804d003b6f265e6f6780b4f04eb2349783b9bfd5bb336cdf25e59078cde96206daee40f340c40efbeecc54ad077f513d51961c256ebd0abc4a2a51

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
ebc1e12d53e5329a848d00e8b1532ed3

SHA1
ba8bbe59c7fd15551d8af19740c52f3b2ad7cee1

SHA256
d38d0e232a5ed37f7c71d57df97794de98d46beaa5528ff6647670aa69e857c3

SHA512
ab68af2384804d003b6f265e6f6780b4f04eb2349783b9bfd5bb336cdf25e59078cde96206daee40f340c40efbeecc54ad077f513d51961c256ebd0abc4a2a51

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
763e87e1c25cce9ac3a7e0b721e39070

SHA1
d4697a4235aa2b360ec1c2f540d46194b5a0c88f

SHA256
2c1f976a23f8c5c8c4164f6385cea13d8eea8941a2ae5e6c4809d8b1fbf1c272

SHA512
9ad3b768addf92c01bc5d2670dc400d1a913fa5fa7440e99fdafc2cbf3291dfd3a35025033d4003bb8ec1b702f6646658f6aa0ff93c012e9cf22170a0a00d2f6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
763e87e1c25cce9ac3a7e0b721e39070

SHA1
d4697a4235aa2b360ec1c2f540d46194b5a0c88f

SHA256
2c1f976a23f8c5c8c4164f6385cea13d8eea8941a2ae5e6c4809d8b1fbf1c272

SHA512
9ad3b768addf92c01bc5d2670dc400d1a913fa5fa7440e99fdafc2cbf3291dfd3a35025033d4003bb8ec1b702f6646658f6aa0ff93c012e9cf22170a0a00d2f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
dbed6ad849231adbfc4fa33582b9dba3

SHA1
391e4b2cb66f0bc282edcefd0d54578d7f71a028

SHA256
be2c4c860825e68ea99ab5b1279f5b2177cec78542322be5914605e842a4e0ce

SHA512
07731c70b0f244d122b57ee158f3e4f4df764a9e1538fb44fbc7b7065ce5e689c7102698545a2e7be417a35810ff3cca03d3321f1aae87ae83e81c52d5f46ad0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
dbed6ad849231adbfc4fa33582b9dba3

SHA1
391e4b2cb66f0bc282edcefd0d54578d7f71a028

SHA256
be2c4c860825e68ea99ab5b1279f5b2177cec78542322be5914605e842a4e0ce

SHA512
07731c70b0f244d122b57ee158f3e4f4df764a9e1538fb44fbc7b7065ce5e689c7102698545a2e7be417a35810ff3cca03d3321f1aae87ae83e81c52d5f46ad0

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
95e715daf0004649873f1b151fe2486f

SHA1
f516a275969b81d9b7c55852ee4ce560cfbf78de

SHA256
4e3d6d1710ffd5bbac645404c9862fe2f031a9e854d232ce3b5bc60b823b7230

SHA512
3b9dedebf525db1f825631c9023b536e899c03d6c68b0ba758572f60ce0cf5ff84c1346e919c16ca393f68b6de9bbf616adbf133654e2c32dea8cfd2edd83176

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
95e715daf0004649873f1b151fe2486f

SHA1
f516a275969b81d9b7c55852ee4ce560cfbf78de

SHA256
4e3d6d1710ffd5bbac645404c9862fe2f031a9e854d232ce3b5bc60b823b7230

SHA512
3b9dedebf525db1f825631c9023b536e899c03d6c68b0ba758572f60ce0cf5ff84c1346e919c16ca393f68b6de9bbf616adbf133654e2c32dea8cfd2edd83176

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
296c1df847ae4d6b1974bc192c687bef

SHA1
abc43b18edd96aa75e04648cfc79d2c2ac559d46

SHA256
f3f0f36d4c1f72448ab546a56f07b9aa4e74760144503d8587e9d7d00cf4713e

SHA512
0f52ac8c4cb9208443a53a092e7fb54f1c4fb5964811c84d78556604ffe51983cc3dea413397091cb2cbf7997de0273559eeec4508a2df598b016bd4a94199df

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
296c1df847ae4d6b1974bc192c687bef

SHA1
abc43b18edd96aa75e04648cfc79d2c2ac559d46

SHA256
f3f0f36d4c1f72448ab546a56f07b9aa4e74760144503d8587e9d7d00cf4713e

SHA512
0f52ac8c4cb9208443a53a092e7fb54f1c4fb5964811c84d78556604ffe51983cc3dea413397091cb2cbf7997de0273559eeec4508a2df598b016bd4a94199df

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
0a2f1abcb82e449e713104a4fc5bd97a

SHA1
3479a297de032dd14ab739cabb04e52f7e94d07a

SHA256
b4bd0fc5a406003c054a659f77073be6b0d51ad010cffee2e560f6896069a949

SHA512
96c5f2088b524dbd3c60dc6989b2d72bad4718419a86077adc9bfbd0bfac849d12222566d8a721ddd084adb2e24e14ff48d51a14317c422b12da601273b2afc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
0a2f1abcb82e449e713104a4fc5bd97a

SHA1
3479a297de032dd14ab739cabb04e52f7e94d07a

SHA256
b4bd0fc5a406003c054a659f77073be6b0d51ad010cffee2e560f6896069a949

SHA512
96c5f2088b524dbd3c60dc6989b2d72bad4718419a86077adc9bfbd0bfac849d12222566d8a721ddd084adb2e24e14ff48d51a14317c422b12da601273b2afc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
6881373a5683db5a9002bcadff3dd8fe

SHA1
15efde04368627f764a75d88a66401d3ab4b1ae5

SHA256
eeba20f474d61844e90b76d34352391cf40171993d2dbbdedda62af4bf3b8350

SHA512
32db20129d72341cf0c5970f968337c6e2f718bcfb44d9cdaa44926e3875a2fd0c37bfaf30396cc83d0deab9a67beaab28582930bdec1250bc3434421d646fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
6881373a5683db5a9002bcadff3dd8fe

SHA1
15efde04368627f764a75d88a66401d3ab4b1ae5

SHA256
eeba20f474d61844e90b76d34352391cf40171993d2dbbdedda62af4bf3b8350

SHA512
32db20129d72341cf0c5970f968337c6e2f718bcfb44d9cdaa44926e3875a2fd0c37bfaf30396cc83d0deab9a67beaab28582930bdec1250bc3434421d646fb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0a2f1abcb82e449e713104a4fc5bd97a

SHA1
3479a297de032dd14ab739cabb04e52f7e94d07a

SHA256
b4bd0fc5a406003c054a659f77073be6b0d51ad010cffee2e560f6896069a949

SHA512
96c5f2088b524dbd3c60dc6989b2d72bad4718419a86077adc9bfbd0bfac849d12222566d8a721ddd084adb2e24e14ff48d51a14317c422b12da601273b2afc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
0a2f1abcb82e449e713104a4fc5bd97a

SHA1
3479a297de032dd14ab739cabb04e52f7e94d07a

SHA256
b4bd0fc5a406003c054a659f77073be6b0d51ad010cffee2e560f6896069a949

SHA512
96c5f2088b524dbd3c60dc6989b2d72bad4718419a86077adc9bfbd0bfac849d12222566d8a721ddd084adb2e24e14ff48d51a14317c422b12da601273b2afc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
0a2f1abcb82e449e713104a4fc5bd97a

SHA1
3479a297de032dd14ab739cabb04e52f7e94d07a

SHA256
b4bd0fc5a406003c054a659f77073be6b0d51ad010cffee2e560f6896069a949

SHA512
96c5f2088b524dbd3c60dc6989b2d72bad4718419a86077adc9bfbd0bfac849d12222566d8a721ddd084adb2e24e14ff48d51a14317c422b12da601273b2afc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
0a2f1abcb82e449e713104a4fc5bd97a

SHA1
3479a297de032dd14ab739cabb04e52f7e94d07a

SHA256
b4bd0fc5a406003c054a659f77073be6b0d51ad010cffee2e560f6896069a949

SHA512
96c5f2088b524dbd3c60dc6989b2d72bad4718419a86077adc9bfbd0bfac849d12222566d8a721ddd084adb2e24e14ff48d51a14317c422b12da601273b2afc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
61ed6f20303787a5e75af13085a46e03

SHA1
7254bb0f0a41773e5699c2c1938c0fecb93d9228

SHA256
98a46f2c99b7271f60bf6ed3bbfd0d0345d4960abc062ddc6c6199cb7562ad6b

SHA512
26eef3ff5db8890bb95c7e0fbe4c572a0b0b505c45b1e0a908e6ee193fc0703a8a9260e0b4f6844cf2eb6cdead2d8e7aec3c2fd8e8e47d9a3b5ac85b0e911f21

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
61ed6f20303787a5e75af13085a46e03

SHA1
7254bb0f0a41773e5699c2c1938c0fecb93d9228

SHA256
98a46f2c99b7271f60bf6ed3bbfd0d0345d4960abc062ddc6c6199cb7562ad6b

SHA512
26eef3ff5db8890bb95c7e0fbe4c572a0b0b505c45b1e0a908e6ee193fc0703a8a9260e0b4f6844cf2eb6cdead2d8e7aec3c2fd8e8e47d9a3b5ac85b0e911f21

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe

Filesize
72KB

MD5
70f393976696c2a164184b03894f3ecb

SHA1
84cda5b433f9d54ff8613dcff62c90486af7d6f0

SHA256
7c13bf59cdfc2bf7d5d56e58776ea93689925156fd34359eebe230477010efe6

SHA512
cf7244d1002abd929a633105679d6ceccbfdbab1aef8fbf2f980d57ef2f40cb1a4c46a85b756bf74cf5346149e4e7278efdb8bb3ea70669ceb8deecd64be23c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe

Filesize
72KB

MD5
70f393976696c2a164184b03894f3ecb

SHA1
84cda5b433f9d54ff8613dcff62c90486af7d6f0

SHA256
7c13bf59cdfc2bf7d5d56e58776ea93689925156fd34359eebe230477010efe6

SHA512
cf7244d1002abd929a633105679d6ceccbfdbab1aef8fbf2f980d57ef2f40cb1a4c46a85b756bf74cf5346149e4e7278efdb8bb3ea70669ceb8deecd64be23c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
70f393976696c2a164184b03894f3ecb

SHA1
84cda5b433f9d54ff8613dcff62c90486af7d6f0

SHA256
7c13bf59cdfc2bf7d5d56e58776ea93689925156fd34359eebe230477010efe6

SHA512
cf7244d1002abd929a633105679d6ceccbfdbab1aef8fbf2f980d57ef2f40cb1a4c46a85b756bf74cf5346149e4e7278efdb8bb3ea70669ceb8deecd64be23c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
70f393976696c2a164184b03894f3ecb

SHA1
84cda5b433f9d54ff8613dcff62c90486af7d6f0

SHA256
7c13bf59cdfc2bf7d5d56e58776ea93689925156fd34359eebe230477010efe6

SHA512
cf7244d1002abd929a633105679d6ceccbfdbab1aef8fbf2f980d57ef2f40cb1a4c46a85b756bf74cf5346149e4e7278efdb8bb3ea70669ceb8deecd64be23c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
70f393976696c2a164184b03894f3ecb

SHA1
84cda5b433f9d54ff8613dcff62c90486af7d6f0

SHA256
7c13bf59cdfc2bf7d5d56e58776ea93689925156fd34359eebe230477010efe6

SHA512
cf7244d1002abd929a633105679d6ceccbfdbab1aef8fbf2f980d57ef2f40cb1a4c46a85b756bf74cf5346149e4e7278efdb8bb3ea70669ceb8deecd64be23c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
70f393976696c2a164184b03894f3ecb

SHA1
84cda5b433f9d54ff8613dcff62c90486af7d6f0

SHA256
7c13bf59cdfc2bf7d5d56e58776ea93689925156fd34359eebe230477010efe6

SHA512
cf7244d1002abd929a633105679d6ceccbfdbab1aef8fbf2f980d57ef2f40cb1a4c46a85b756bf74cf5346149e4e7278efdb8bb3ea70669ceb8deecd64be23c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
40dcd1930ff3923831a73805325c4043

SHA1
5d70f58cbef30967cfd08ec12b39be5700de4f55

SHA256
83633555cec5b28a0a87544339eaf8e8a2da9ba7b5768ea4c2384d92fb257f5d

SHA512
d3744bd7a18327f213ede3cdbed1d067d66235b293de6050e1c1cd331ef574246a1df735eb43a0efd76dbc89d2fa3b04d078b9a2da95541beb5cb3d8785819a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
40dcd1930ff3923831a73805325c4043

SHA1
5d70f58cbef30967cfd08ec12b39be5700de4f55

SHA256
83633555cec5b28a0a87544339eaf8e8a2da9ba7b5768ea4c2384d92fb257f5d

SHA512
d3744bd7a18327f213ede3cdbed1d067d66235b293de6050e1c1cd331ef574246a1df735eb43a0efd76dbc89d2fa3b04d078b9a2da95541beb5cb3d8785819a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
40dcd1930ff3923831a73805325c4043

SHA1
5d70f58cbef30967cfd08ec12b39be5700de4f55

SHA256
83633555cec5b28a0a87544339eaf8e8a2da9ba7b5768ea4c2384d92fb257f5d

SHA512
d3744bd7a18327f213ede3cdbed1d067d66235b293de6050e1c1cd331ef574246a1df735eb43a0efd76dbc89d2fa3b04d078b9a2da95541beb5cb3d8785819a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
40dcd1930ff3923831a73805325c4043

SHA1
5d70f58cbef30967cfd08ec12b39be5700de4f55

SHA256
83633555cec5b28a0a87544339eaf8e8a2da9ba7b5768ea4c2384d92fb257f5d

SHA512
d3744bd7a18327f213ede3cdbed1d067d66235b293de6050e1c1cd331ef574246a1df735eb43a0efd76dbc89d2fa3b04d078b9a2da95541beb5cb3d8785819a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
ec6e7648ffe0cc501a09e9280e9c1a2a

SHA1
d8fda04404dce69fabb96e4f0490077e004f683c

SHA256
61594e8fe1d52fdf6364c7bdba0c5eab7e12f629329afd68d50580dab755ea01

SHA512
ed256d919e31d2f7cb02a562f5f960627ab1b6128fc388401069cffaf921dbe9e10a857e9300c9b06486a92355b32bab826903bb6c274d10184ef9e004e57dae

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
ec6e7648ffe0cc501a09e9280e9c1a2a

SHA1
d8fda04404dce69fabb96e4f0490077e004f683c

SHA256
61594e8fe1d52fdf6364c7bdba0c5eab7e12f629329afd68d50580dab755ea01

SHA512
ed256d919e31d2f7cb02a562f5f960627ab1b6128fc388401069cffaf921dbe9e10a857e9300c9b06486a92355b32bab826903bb6c274d10184ef9e004e57dae

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
f5f0bbdc4df9dc6fd7929fd636f1760f

SHA1
c1f6bb6ee8305231318c62d833ac235c1b432459

SHA256
3e72bce484369376f5b461a0ed231aab5bea817ecd084d29c64bad773ec675ac

SHA512
2e027d8e5b107594869dbece556e1d02775d46a20b39045da800af3b8277305d7f5b66723274f372a010aae8e0f5cbe03b6fe6f947d6a0c3be781321f5ff38e4

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
f5f0bbdc4df9dc6fd7929fd636f1760f

SHA1
c1f6bb6ee8305231318c62d833ac235c1b432459

SHA256
3e72bce484369376f5b461a0ed231aab5bea817ecd084d29c64bad773ec675ac

SHA512
2e027d8e5b107594869dbece556e1d02775d46a20b39045da800af3b8277305d7f5b66723274f372a010aae8e0f5cbe03b6fe6f947d6a0c3be781321f5ff38e4

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3c6705d83bccf8223a9fac479077fdac

SHA1
1efd026e8aef8705ecf5a1bd446392784388410c

SHA256
4098c1ebf7d19665480dd67db46d3af05880978d37b77cbca03fdf738eb19b12

SHA512
a791818b81bfdcb485a7cf2380c5b4171f71237a3e55321c8f6b192cfdad2d53f19185cb1a0724679314ba920c1ca7e85a05ce5cb1e329e1c5bce50f7a6ba44a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3c6705d83bccf8223a9fac479077fdac

SHA1
1efd026e8aef8705ecf5a1bd446392784388410c

SHA256
4098c1ebf7d19665480dd67db46d3af05880978d37b77cbca03fdf738eb19b12

SHA512
a791818b81bfdcb485a7cf2380c5b4171f71237a3e55321c8f6b192cfdad2d53f19185cb1a0724679314ba920c1ca7e85a05ce5cb1e329e1c5bce50f7a6ba44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2196046437\backup.exe

Filesize
72KB

MD5
d69423fc7bba26c29828c75c9f0714f2

SHA1
8f26306b17969920e964d31387f854696ace24e3

SHA256
91d7fa2ac489606e9205811612b07fc354284380f52644a449f94ab89c675ca5

SHA512
1880abfdea1b863e3ad3f6623ca9bddb208ea60322b363f6d21b5ac2a43595de795cb346129fe4e246156aa2b232b0ddf0b557663d67903b898c77125b9315f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2196046437\backup.exe

Filesize
72KB

MD5
d69423fc7bba26c29828c75c9f0714f2

SHA1
8f26306b17969920e964d31387f854696ace24e3

SHA256
91d7fa2ac489606e9205811612b07fc354284380f52644a449f94ab89c675ca5

SHA512
1880abfdea1b863e3ad3f6623ca9bddb208ea60322b363f6d21b5ac2a43595de795cb346129fe4e246156aa2b232b0ddf0b557663d67903b898c77125b9315f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7edcfd70a5e5064f76e5144336b8d76b

SHA1
baf60b75bdae6f51c0c0fdb5350b4f61acdca64f

SHA256
c6928971441237b99116b6b636de2680ea525236a4c23657d95e9af2f00f19c8

SHA512
78297436ca7b617dcba677eade1fb86e64634b70b7fff395ea66996e7508d549beb3ec7b0e2e0e61cba910c52b30477d86c492d6bdd50ddca9373baff9ac73fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7edcfd70a5e5064f76e5144336b8d76b

SHA1
baf60b75bdae6f51c0c0fdb5350b4f61acdca64f

SHA256
c6928971441237b99116b6b636de2680ea525236a4c23657d95e9af2f00f19c8

SHA512
78297436ca7b617dcba677eade1fb86e64634b70b7fff395ea66996e7508d549beb3ec7b0e2e0e61cba910c52b30477d86c492d6bdd50ddca9373baff9ac73fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b584b60fbe51b725a01fbad9efee2429

SHA1
69b3db0aaa8ab0bede8af8b9a8567d3bb52e8baa

SHA256
cf945b865c01acbb6ed0f4eb35e50f330acb6e7d1752b9654ca6efe0756eabd9

SHA512
844a249993a716cf5bbe5d45d5d3267e2f61fb5c740b441b7898287b67841c88c16bde9930d73e64fcbd4b003c021640bec7d74def4887c00e054a3679a37d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b584b60fbe51b725a01fbad9efee2429

SHA1
69b3db0aaa8ab0bede8af8b9a8567d3bb52e8baa

SHA256
cf945b865c01acbb6ed0f4eb35e50f330acb6e7d1752b9654ca6efe0756eabd9

SHA512
844a249993a716cf5bbe5d45d5d3267e2f61fb5c740b441b7898287b67841c88c16bde9930d73e64fcbd4b003c021640bec7d74def4887c00e054a3679a37d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a397d1341c06af6f07d009bc23002c0c

SHA1
af4a6fc1804dea040d8e58c85c4ad70894c9cb7d

SHA256
e2804d4df0b10a7206e4d94340a02db6ecd08949789be75bbd9c53c7a536d24d

SHA512
4b55c89f884ca9b9bc1fa344f4a8bb6f4c9a88509cc1c2f3bd5bcccb51e68476c33ced5e430356dea479fd0629bf4d13e4f5493fb24a8ef126a9e217b8e42d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a397d1341c06af6f07d009bc23002c0c

SHA1
af4a6fc1804dea040d8e58c85c4ad70894c9cb7d

SHA256
e2804d4df0b10a7206e4d94340a02db6ecd08949789be75bbd9c53c7a536d24d

SHA512
4b55c89f884ca9b9bc1fa344f4a8bb6f4c9a88509cc1c2f3bd5bcccb51e68476c33ced5e430356dea479fd0629bf4d13e4f5493fb24a8ef126a9e217b8e42d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
7edcfd70a5e5064f76e5144336b8d76b

SHA1
baf60b75bdae6f51c0c0fdb5350b4f61acdca64f

SHA256
c6928971441237b99116b6b636de2680ea525236a4c23657d95e9af2f00f19c8

SHA512
78297436ca7b617dcba677eade1fb86e64634b70b7fff395ea66996e7508d549beb3ec7b0e2e0e61cba910c52b30477d86c492d6bdd50ddca9373baff9ac73fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
7edcfd70a5e5064f76e5144336b8d76b

SHA1
baf60b75bdae6f51c0c0fdb5350b4f61acdca64f

SHA256
c6928971441237b99116b6b636de2680ea525236a4c23657d95e9af2f00f19c8

SHA512
78297436ca7b617dcba677eade1fb86e64634b70b7fff395ea66996e7508d549beb3ec7b0e2e0e61cba910c52b30477d86c492d6bdd50ddca9373baff9ac73fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7edcfd70a5e5064f76e5144336b8d76b

SHA1
baf60b75bdae6f51c0c0fdb5350b4f61acdca64f

SHA256
c6928971441237b99116b6b636de2680ea525236a4c23657d95e9af2f00f19c8

SHA512
78297436ca7b617dcba677eade1fb86e64634b70b7fff395ea66996e7508d549beb3ec7b0e2e0e61cba910c52b30477d86c492d6bdd50ddca9373baff9ac73fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7edcfd70a5e5064f76e5144336b8d76b

SHA1
baf60b75bdae6f51c0c0fdb5350b4f61acdca64f

SHA256
c6928971441237b99116b6b636de2680ea525236a4c23657d95e9af2f00f19c8

SHA512
78297436ca7b617dcba677eade1fb86e64634b70b7fff395ea66996e7508d549beb3ec7b0e2e0e61cba910c52b30477d86c492d6bdd50ddca9373baff9ac73fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a397d1341c06af6f07d009bc23002c0c

SHA1
af4a6fc1804dea040d8e58c85c4ad70894c9cb7d

SHA256
e2804d4df0b10a7206e4d94340a02db6ecd08949789be75bbd9c53c7a536d24d

SHA512
4b55c89f884ca9b9bc1fa344f4a8bb6f4c9a88509cc1c2f3bd5bcccb51e68476c33ced5e430356dea479fd0629bf4d13e4f5493fb24a8ef126a9e217b8e42d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a397d1341c06af6f07d009bc23002c0c

SHA1
af4a6fc1804dea040d8e58c85c4ad70894c9cb7d

SHA256
e2804d4df0b10a7206e4d94340a02db6ecd08949789be75bbd9c53c7a536d24d

SHA512
4b55c89f884ca9b9bc1fa344f4a8bb6f4c9a88509cc1c2f3bd5bcccb51e68476c33ced5e430356dea479fd0629bf4d13e4f5493fb24a8ef126a9e217b8e42d2e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7f004181743d7c1da38360a080041185

SHA1
a4fdae8b0484ade3b186c89ab7aa7ed0bdc83935

SHA256
08354b23d615e69322606ac92d6e0890ffcfb47570842b029b46547972c84dd8

SHA512
1fdf2df3a4a6a692a56754bb9ff353288064ad97504c8377390dfbe3322313204670bc2da7e95c33647c7c3bb32299acf2da50e6bd1a8ac05305ac30f37e5421

Download Submit
C:\backup.exe

Filesize
72KB

MD5
7f004181743d7c1da38360a080041185

SHA1
a4fdae8b0484ade3b186c89ab7aa7ed0bdc83935

SHA256
08354b23d615e69322606ac92d6e0890ffcfb47570842b029b46547972c84dd8

SHA512
1fdf2df3a4a6a692a56754bb9ff353288064ad97504c8377390dfbe3322313204670bc2da7e95c33647c7c3bb32299acf2da50e6bd1a8ac05305ac30f37e5421

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
602e7eb09c3f9b4a868ed9c6af1a9e78

SHA1
f3d1d8c12390fc9e8c51902c813829daf8517920

SHA256
948a4d8d8877ea4bfdae6086639db0c3cab1bd3fec7d38caefcd3a58eb506257

SHA512
c341c839ef2b46a7a4f6353bd684c9ac265875693afb554bf15ff3567e3c0fa6fde20ea612dca5555997ea5dd7bdbd0295bc7b6f26e52e7b8b0a06c1c22bf064

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
602e7eb09c3f9b4a868ed9c6af1a9e78

SHA1
f3d1d8c12390fc9e8c51902c813829daf8517920

SHA256
948a4d8d8877ea4bfdae6086639db0c3cab1bd3fec7d38caefcd3a58eb506257

SHA512
c341c839ef2b46a7a4f6353bd684c9ac265875693afb554bf15ff3567e3c0fa6fde20ea612dca5555997ea5dd7bdbd0295bc7b6f26e52e7b8b0a06c1c22bf064

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads