4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08

Analysis

max time kernel
151s
max time network
388s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe
Size

72KB
MD5

0c93b95213b43a4f2021e7d65ffb678f
SHA1

5fd64b23f5bf71c64aad363722ea35342eee2531
SHA256

4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08
SHA512

7014cb8ce1ee7904894e15cdba32c5534686f6488b5334fd44740303df950f5262cbc45434fd8f7b0d6f8f3f88fac8182b66b9bb858d0b0e3792365fd68327b8
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2G:ipQNwC3BEddsEqOt/hyJF+x3BEJwRra

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2868	backup.exe
4116	backup.exe
1328	backup.exe
4344	backup.exe
3412	data.exe
1600	backup.exe
908	backup.exe
3872	backup.exe
1168	backup.exe
4612	backup.exe
2624	backup.exe
3160	backup.exe
2296	update.exe
1828	backup.exe
4992	backup.exe
4580	backup.exe
4324	backup.exe
632	backup.exe
416	backup.exe
3768	backup.exe
3372	backup.exe
1844	backup.exe
2864	backup.exe
524	backup.exe
1020	backup.exe
3724	backup.exe
2480	backup.exe
920	backup.exe
912	backup.exe
1152	update.exe
2928	backup.exe
3268	backup.exe
2328	backup.exe
1676	backup.exe
4832	backup.exe
2408	backup.exe
1372	data.exe
4332	backup.exe
2672	backup.exe
4552	backup.exe
4760	data.exe
1688	System Restore.exe
4616	backup.exe
1272	backup.exe
2448	backup.exe
4768	backup.exe
2436	data.exe
1136	System Restore.exe
2976	backup.exe
2684	data.exe
772	backup.exe
1260	backup.exe
3420	backup.exe
4160	backup.exe
4180	backup.exe
1248	backup.exe
1276	backup.exe
3512	backup.exe
1440	backup.exe
1472	backup.exe
2376	backup.exe
2016	backup.exe
3160	backup.exe
2160	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe	backup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe
2868	backup.exe
4116	backup.exe
1328	backup.exe
4344	backup.exe
3412	data.exe
1600	backup.exe
908	backup.exe
1168	backup.exe
3872	backup.exe
4612	backup.exe
2624	backup.exe
3160	backup.exe
2296	update.exe
1828	backup.exe
4992	backup.exe
4580	backup.exe
4324	backup.exe
632	backup.exe
416	backup.exe
3768	backup.exe
3372	backup.exe
1844	backup.exe
2864	backup.exe
1020	backup.exe
524	backup.exe
3724	backup.exe
920	backup.exe
2480	backup.exe
912	backup.exe
1152	update.exe
2928	backup.exe
4832	backup.exe
3268	backup.exe
1676	backup.exe
2328	backup.exe
2408	backup.exe
1372	data.exe
4332	backup.exe
4760	data.exe
2672	backup.exe
4552	backup.exe
4616	backup.exe
1272	backup.exe
1688	System Restore.exe
1136	System Restore.exe
2448	backup.exe
4768	backup.exe
2436	data.exe
2976	backup.exe
2684	data.exe
3420	backup.exe
1260	backup.exe
772	backup.exe
3512	backup.exe
4160	backup.exe
1248	backup.exe
1276	backup.exe
4180	backup.exe
1440	backup.exe
3160	backup.exe
1472	backup.exe
2376	backup.exe
2016	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2868	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	76
PID 4044 wrote to memory of 2868	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	76
PID 4044 wrote to memory of 2868	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	76
PID 4044 wrote to memory of 4116	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	77
PID 4044 wrote to memory of 4116	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	77
PID 4044 wrote to memory of 4116	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	77
PID 4044 wrote to memory of 1328	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	78
PID 4044 wrote to memory of 1328	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	78
PID 4044 wrote to memory of 1328	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	78
PID 4044 wrote to memory of 4344	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	79
PID 4044 wrote to memory of 4344	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	79
PID 4044 wrote to memory of 4344	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	79
PID 4044 wrote to memory of 3412	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	80
PID 4044 wrote to memory of 3412	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	80
PID 4044 wrote to memory of 3412	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	80
PID 2868 wrote to memory of 1600	2868	backup.exe	81
PID 2868 wrote to memory of 1600	2868	backup.exe	81
PID 2868 wrote to memory of 1600	2868	backup.exe	81
PID 4044 wrote to memory of 908	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	83
PID 4044 wrote to memory of 908	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	83
PID 4044 wrote to memory of 908	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	83
PID 4044 wrote to memory of 3872	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	85
PID 4044 wrote to memory of 3872	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	85
PID 4044 wrote to memory of 3872	4044	4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe	85
PID 1600 wrote to memory of 1168	1600	backup.exe	86
PID 1600 wrote to memory of 1168	1600	backup.exe	86
PID 1600 wrote to memory of 1168	1600	backup.exe	86
PID 1600 wrote to memory of 4612	1600	backup.exe	87
PID 1600 wrote to memory of 4612	1600	backup.exe	87
PID 1600 wrote to memory of 4612	1600	backup.exe	87
PID 1600 wrote to memory of 2624	1600	backup.exe	88
PID 1600 wrote to memory of 2624	1600	backup.exe	88
PID 1600 wrote to memory of 2624	1600	backup.exe	88
PID 2624 wrote to memory of 3160	2624	backup.exe	89
PID 2624 wrote to memory of 3160	2624	backup.exe	89
PID 2624 wrote to memory of 3160	2624	backup.exe	89
PID 3160 wrote to memory of 2296	3160	backup.exe	90
PID 3160 wrote to memory of 2296	3160	backup.exe	90
PID 3160 wrote to memory of 2296	3160	backup.exe	90
PID 2624 wrote to memory of 1828	2624	backup.exe	91
PID 2624 wrote to memory of 1828	2624	backup.exe	91
PID 2624 wrote to memory of 1828	2624	backup.exe	91
PID 1828 wrote to memory of 4992	1828	backup.exe	93
PID 1828 wrote to memory of 4992	1828	backup.exe	93
PID 1828 wrote to memory of 4992	1828	backup.exe	93
PID 1828 wrote to memory of 4580	1828	backup.exe	94
PID 1828 wrote to memory of 4580	1828	backup.exe	94
PID 1828 wrote to memory of 4580	1828	backup.exe	94
PID 4580 wrote to memory of 4324	4580	backup.exe	95
PID 4580 wrote to memory of 4324	4580	backup.exe	95
PID 4580 wrote to memory of 4324	4580	backup.exe	95
PID 4580 wrote to memory of 632	4580	backup.exe	96
PID 4580 wrote to memory of 632	4580	backup.exe	96
PID 4580 wrote to memory of 632	4580	backup.exe	96
PID 632 wrote to memory of 416	632	backup.exe	97
PID 632 wrote to memory of 416	632	backup.exe	97
PID 632 wrote to memory of 416	632	backup.exe	97
PID 632 wrote to memory of 3768	632	backup.exe	98
PID 632 wrote to memory of 3768	632	backup.exe	98
PID 632 wrote to memory of 3768	632	backup.exe	98
PID 632 wrote to memory of 3372	632	backup.exe	99
PID 632 wrote to memory of 3372	632	backup.exe	99
PID 632 wrote to memory of 3372	632	backup.exe	99
PID 632 wrote to memory of 2864	632	backup.exe	104

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe

C:\Users\Admin\AppData\Local\Temp\4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe
"C:\Users\Admin\AppData\Local\Temp\4db65da5e39abee36789efebe32dd21ac14bae1f56417991d2184a62c7cf6d08.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\1769441070\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1769441070\backup.exe C:\Users\Admin\AppData\Local\Temp\1769441070\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2868
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1600
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1168
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4612
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3160
      - C:\Program Files\7-Zip\Lang\update.exe
        
        "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2296
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:416
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3372
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2408
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        
        PID:2740
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2604
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4064
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:876
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4764
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4444
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:3436
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4084
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4628
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4984
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4412
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:536
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3268
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:2676
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:1948
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3420
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3508
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4832
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4760
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        9⤵
        
        PID:4864
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4160
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2160
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1344
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2580
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4588
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:1264
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3492
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2232
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:4048
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4416
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:912
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4616
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:416
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:3788
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:444
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:368
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2460
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1260
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:3672
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Disables RegEdit via registry modification
        
        PID:540
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4708
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        System policy modification
        
        PID:620
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:3768
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1692
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3724
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3268
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2740
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2928
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4552
      - C:\Program Files\Internet Explorer\en-US\System Restore.exe
        
        "C:\Program Files\Internet Explorer\en-US\System Restore.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1136
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        System policy modification
        
        PID:2232
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2732
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1692
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1420
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        System policy modification
        
        PID:836
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:4852
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        System policy modification
        
        PID:524
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2688
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4772
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:1600
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:1108
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:3016
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:4760
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:1688
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        
        PID:612
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3456
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        System policy modification
        
        PID:3512
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:5068
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:4588
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:1080
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:2724
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:508
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1020
    - - C:\Program Files (x86)\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Drops file in Program Files directory
        
        PID:760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Drops file in Program Files directory
        
        PID:4452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1336
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:5032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:1420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:3160
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2328
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3160
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:3012
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\data.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3068
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1568
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3916
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4928
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        System policy modification
        
        PID:788
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1472
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3452
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2432
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3280
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4792
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:2300
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:1504
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:5000
    - - C:\Program Files (x86)\Google\data.exe
        
        "C:\Program Files (x86)\Google\data.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4516
      - C:\Program Files (x86)\Google\CrashReports\System Restore.exe
        
        "C:\Program Files (x86)\Google\CrashReports\System Restore.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:4088
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1228
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2408
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:3944
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2512
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:416
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1880
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3044
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:4736
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:1720
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1372
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4768
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3512
      - C:\Users\Admin\Contacts\update.exe
        
        C:\Users\Admin\Contacts\update.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:5044
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1252
      - C:\Users\Admin\Documents\update.exe
        
        C:\Users\Admin\Documents\update.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3108
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2752
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3732
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:4692
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        System policy modification
        
        PID:3308
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1996
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2428
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4780
        
        C:\Users\Admin\Pictures\Saved Pictures\System Restore.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\System Restore.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:1056
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        System policy modification
        
        PID:3568
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:3412
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3868
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3604
      - C:\Users\Public\Documents\System Restore.exe
        
        "C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\
        6⤵
        
        PID:3160
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4128
      - C:\Users\Public\Pictures\data.exe
        
        C:\Users\Public\Pictures\data.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2604
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:748
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:1520
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2504
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:4672
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:4840
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:4836
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:920
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:3452
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:1472
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4116
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4344
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3412
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:908
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3872

C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2436
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1440
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
  2⤵
  - System policy modification
  PID:752
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:4304
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:2332
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
  2⤵
  - Disables RegEdit via registry modification
  - System policy modification
  PID:4612
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:688
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:580
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3792

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2684

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
1⤵
- Drops file in Program Files directory
PID:3204
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
  2⤵
  PID:2208

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
1⤵
PID:4996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
1⤵
- Disables RegEdit via registry modification
PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
52a6566cf01fe41ac41649f130e6224b

SHA1
ad5a299797ccfb1cc66c53028ddeb4c814f3c55f

SHA256
df3a2c5bffb8ad97e644c7398fb85c3cdc774eb51dc575a50ad50a5ec9236262

SHA512
d6a1d9e96a9ca402b4b2d3f5b3892e9b8dd0e524393ec4c83a4159d889d5c0b736fa5d0c4a7be946c1828d478a2dcb32f4a9ed0ae985317c054389c666f49e9d

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
52a6566cf01fe41ac41649f130e6224b

SHA1
ad5a299797ccfb1cc66c53028ddeb4c814f3c55f

SHA256
df3a2c5bffb8ad97e644c7398fb85c3cdc774eb51dc575a50ad50a5ec9236262

SHA512
d6a1d9e96a9ca402b4b2d3f5b3892e9b8dd0e524393ec4c83a4159d889d5c0b736fa5d0c4a7be946c1828d478a2dcb32f4a9ed0ae985317c054389c666f49e9d

Download Submit
C:\Program Files (x86)\Adobe\update.exe

Filesize
72KB

MD5
283fb23549da83548257d835246928c1

SHA1
c4ee1b90b542f288b71be08870be01593329ffe8

SHA256
6fb43983d6d2fdee9ea62b417f0be61a838adeb196a631ad65ac729496001cd1

SHA512
eec6f10daef806165d0053fff7218fc68769f3a3075f48dc06d3aa396c51f77ca3a4489df480f9171907f0323cc30d0331e044f36d307b26ba3d3517a0d9ed12

Download Submit
C:\Program Files (x86)\Adobe\update.exe

Filesize
72KB

MD5
283fb23549da83548257d835246928c1

SHA1
c4ee1b90b542f288b71be08870be01593329ffe8

SHA256
6fb43983d6d2fdee9ea62b417f0be61a838adeb196a631ad65ac729496001cd1

SHA512
eec6f10daef806165d0053fff7218fc68769f3a3075f48dc06d3aa396c51f77ca3a4489df480f9171907f0323cc30d0331e044f36d307b26ba3d3517a0d9ed12

Download Submit
C:\Program Files (x86)\Common Files\backup.exe

Filesize
72KB

MD5
0efe5ec68459635cbb5fc670618ae6ac

SHA1
664886cff20d053795cfc4064101e25ae1ba03a9

SHA256
020efa96e5b0aa6ffee60c652c7647ada61207a22e155d1af3d494e3ea5fc78d

SHA512
f34f148986898ccefb8f48bfac9aa14e36cecc60a230ac482d70f7833ba304a67e34699f09dcf9a346e09b8fb71182e83556d0a464874fb41ec74044bfedc229

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
49201dce5080573429bd07271dd085fe

SHA1
4626e9270b45ad13a40eb8b2dc8bec9e9ba75401

SHA256
5cf899e634218572ba8c02611f0b260fb0184dd41ab069991caf7460bdc85352

SHA512
19068942ca8e7e1cc9e34390ab23542d4d3682b515b6a153febfb8fbf99e1bb4eb1723594939026ecda5bf09db7e963eb2abfd120b377331ec328800a3a7cbee

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
49201dce5080573429bd07271dd085fe

SHA1
4626e9270b45ad13a40eb8b2dc8bec9e9ba75401

SHA256
5cf899e634218572ba8c02611f0b260fb0184dd41ab069991caf7460bdc85352

SHA512
19068942ca8e7e1cc9e34390ab23542d4d3682b515b6a153febfb8fbf99e1bb4eb1723594939026ecda5bf09db7e963eb2abfd120b377331ec328800a3a7cbee

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
6488b6fe57254f8233ffa5f75981d291

SHA1
26a79b601d73f0e371c0979b001f353760f6130a

SHA256
461616f375cc633e6026b23676619e1c6dc35e9adb058db5c215afcee88f4ef8

SHA512
862acbe1e62b0d90eba25e2c215cf960bc099f78fee13a96158a5e3e41a7eeff0de6435ab157cff118b071522b74f6d671ff6296d656f376f0a2c66f7961a25a

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
72KB

MD5
6488b6fe57254f8233ffa5f75981d291

SHA1
26a79b601d73f0e371c0979b001f353760f6130a

SHA256
461616f375cc633e6026b23676619e1c6dc35e9adb058db5c215afcee88f4ef8

SHA512
862acbe1e62b0d90eba25e2c215cf960bc099f78fee13a96158a5e3e41a7eeff0de6435ab157cff118b071522b74f6d671ff6296d656f376f0a2c66f7961a25a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f6a933adb95f2c231e4184c851cd1ac1

SHA1
97ad480adafa23e81d9d83501a22d0c4105f3532

SHA256
60fc7ba16a72ba5f917589f0a856d6ec34dabd8f8f0a170cd3d0f18064d3b9f6

SHA512
40e362bf4f6deac8b5fc872045d1c2e68580ce2a41b4107bf51ad9de653a62bb4cb99f24b6d66d3502e062e9bf1f8478489553f9293d5139d2e330023cf4f820

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
f6a933adb95f2c231e4184c851cd1ac1

SHA1
97ad480adafa23e81d9d83501a22d0c4105f3532

SHA256
60fc7ba16a72ba5f917589f0a856d6ec34dabd8f8f0a170cd3d0f18064d3b9f6

SHA512
40e362bf4f6deac8b5fc872045d1c2e68580ce2a41b4107bf51ad9de653a62bb4cb99f24b6d66d3502e062e9bf1f8478489553f9293d5139d2e330023cf4f820

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
adf2652e781a6d51c41356be0e88cd96

SHA1
d641d8dbe7dca13d3d6ed913a90d6551129c5411

SHA256
4ea49c977a8d33f86b9236387d10e72a84b7b4e0c3c8badc407133d5ef2565a0

SHA512
5976553c9ca8b44fec87773629788f34bb6a6b6d3587f91ae0b721f8c766071b4e2e418ba216b109e0c74fb477ac27b1897320f94f63cf3d86ea9f70eb6c2c6b

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
adf2652e781a6d51c41356be0e88cd96

SHA1
d641d8dbe7dca13d3d6ed913a90d6551129c5411

SHA256
4ea49c977a8d33f86b9236387d10e72a84b7b4e0c3c8badc407133d5ef2565a0

SHA512
5976553c9ca8b44fec87773629788f34bb6a6b6d3587f91ae0b721f8c766071b4e2e418ba216b109e0c74fb477ac27b1897320f94f63cf3d86ea9f70eb6c2c6b

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
dd1d544144afcaba2e8850dfcbad9120

SHA1
46c661eacda864d051d92d9360e6f6267f468169

SHA256
8bd882b18846b212de18186845069e31d3d80d006febfdc38880666371f1def8

SHA512
b5a6d0bbdde01ee655c2f481fb1bbbe13b915cd183829ebb172539f21cf624ad4cb61ba03b0f53a455cb04e6bd72d997d95763cd96604c71674b99a85a7fe1bf

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
dd1d544144afcaba2e8850dfcbad9120

SHA1
46c661eacda864d051d92d9360e6f6267f468169

SHA256
8bd882b18846b212de18186845069e31d3d80d006febfdc38880666371f1def8

SHA512
b5a6d0bbdde01ee655c2f481fb1bbbe13b915cd183829ebb172539f21cf624ad4cb61ba03b0f53a455cb04e6bd72d997d95763cd96604c71674b99a85a7fe1bf

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
f50a1970b5144a7849462d3c26acfb3e

SHA1
ca0f95408ba4a44ee2e1102fb17ef15e964f6131

SHA256
3352ac45119bb2f6a94ffa26788b519f3f2d81c13e0067797a83fc35ccc66654

SHA512
76adeca68691607a382df5d14370d7049ec74a7e1bfe109a7dad48b73c5c008020719bbc9f2cd4dd8b63019fc1a43da856d822b61246c16c6d7626df03c9f719

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
f50a1970b5144a7849462d3c26acfb3e

SHA1
ca0f95408ba4a44ee2e1102fb17ef15e964f6131

SHA256
3352ac45119bb2f6a94ffa26788b519f3f2d81c13e0067797a83fc35ccc66654

SHA512
76adeca68691607a382df5d14370d7049ec74a7e1bfe109a7dad48b73c5c008020719bbc9f2cd4dd8b63019fc1a43da856d822b61246c16c6d7626df03c9f719

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
aac2ec8548f7b1b7e3b6ab8f4d3662b7

SHA1
d0ddab29b5c4287ac44d2087b3651cbfefbe0d69

SHA256
6dd29fbe8b2d0151f452a1780b271f971907f542f5242eea8a61139d92a2e520

SHA512
487704df3800812985f18722ad463c8c1a75cbc3ee37e6d53d5942f11db5e316144e204f789f7ccf2866b2135acf7cce5707d74f570735f7aafac098b55d248d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
aac2ec8548f7b1b7e3b6ab8f4d3662b7

SHA1
d0ddab29b5c4287ac44d2087b3651cbfefbe0d69

SHA256
6dd29fbe8b2d0151f452a1780b271f971907f542f5242eea8a61139d92a2e520

SHA512
487704df3800812985f18722ad463c8c1a75cbc3ee37e6d53d5942f11db5e316144e204f789f7ccf2866b2135acf7cce5707d74f570735f7aafac098b55d248d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
cb0e7017549eb5e40dc987f30fe1a1b4

SHA1
d65d391adb45498812efd479dcd1ae0ea20d5b3f

SHA256
196ebb27151774d508e2a1351e8ce6ce99dea7348eaf9a7283964bd46b932b29

SHA512
cfb27a2328d6c925cdad26befb185d2a1ae42996f99eadf694532baee4da56b59a3e673f881574d1d1f83f8842354cb7d1f2118d4b93dac37d1acfc2f4c75f7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
cb0e7017549eb5e40dc987f30fe1a1b4

SHA1
d65d391adb45498812efd479dcd1ae0ea20d5b3f

SHA256
196ebb27151774d508e2a1351e8ce6ce99dea7348eaf9a7283964bd46b932b29

SHA512
cfb27a2328d6c925cdad26befb185d2a1ae42996f99eadf694532baee4da56b59a3e673f881574d1d1f83f8842354cb7d1f2118d4b93dac37d1acfc2f4c75f7a

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
92502b5823461cfb39b94635befb6702

SHA1
d67cf8e223d99f5ae313e6da5831689ff637d200

SHA256
79a53152ce338014600c989b9499e856d041c1622aa4034f38ff9f7666ee3e45

SHA512
13e4c4fb6d201e0b4ece57af669e0fd5fb7e70bee16ef9e8eea23165a34d67fdf512efb063337ae484b5e568b6333686a3be7b25bd1e98cc60bf1b58f57a9142

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
92502b5823461cfb39b94635befb6702

SHA1
d67cf8e223d99f5ae313e6da5831689ff637d200

SHA256
79a53152ce338014600c989b9499e856d041c1622aa4034f38ff9f7666ee3e45

SHA512
13e4c4fb6d201e0b4ece57af669e0fd5fb7e70bee16ef9e8eea23165a34d67fdf512efb063337ae484b5e568b6333686a3be7b25bd1e98cc60bf1b58f57a9142

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
f39a1810948837262f166894e22c8c01

SHA1
64baaba2466122775e6fb2367c7dfcc380934bc5

SHA256
c4cce3a44fe53680985e818a1930fa5395dfdf0488409d8f76cbb462e96fd512

SHA512
030f7ce6d2327dc08e1fc63503cf4a72dffa9af6e9077ab1b4037eb0281776e4ca796e1b02a42ccc888117a3ecc185bf7cee1dad9d1d154f6439f7a5f2062e7d

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
f39a1810948837262f166894e22c8c01

SHA1
64baaba2466122775e6fb2367c7dfcc380934bc5

SHA256
c4cce3a44fe53680985e818a1930fa5395dfdf0488409d8f76cbb462e96fd512

SHA512
030f7ce6d2327dc08e1fc63503cf4a72dffa9af6e9077ab1b4037eb0281776e4ca796e1b02a42ccc888117a3ecc185bf7cee1dad9d1d154f6439f7a5f2062e7d

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
943bac2474e036a17767306710725e04

SHA1
f9c107febb11f14f08956a582865b8f9c0e4506a

SHA256
6dc9e9186714d7562e1c90d47e8873ae3496c75157274071d0d6d4017ced8614

SHA512
4e1b5d20b1e7d2264e91d9cbffc65c2318be5d2d5ee06ad6b4ebad901d0ce530c99da469b5403f08dc6602b0c4427621b91f78f4d8e75dfeb01f7f2beb60cee1

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
943bac2474e036a17767306710725e04

SHA1
f9c107febb11f14f08956a582865b8f9c0e4506a

SHA256
6dc9e9186714d7562e1c90d47e8873ae3496c75157274071d0d6d4017ced8614

SHA512
4e1b5d20b1e7d2264e91d9cbffc65c2318be5d2d5ee06ad6b4ebad901d0ce530c99da469b5403f08dc6602b0c4427621b91f78f4d8e75dfeb01f7f2beb60cee1

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
bfea394d855d0f90746e09b390fa217c

SHA1
e67e8b7f3ef4d798d7578f966c5aef292cdb9cfc

SHA256
5c442c83bdfe942f59242879c12d4d72e08c5a6a68b6cc9593086b2aa698ba3e

SHA512
ddc9afdd79bbabace7be88bf2efbaf47896cd07e9cabd9aca0e57192e3778b71e508bf8a729a5f7afb844f2dcf3dffbd4f6ed12b8b932496a0218cf85bc304ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
bfea394d855d0f90746e09b390fa217c

SHA1
e67e8b7f3ef4d798d7578f966c5aef292cdb9cfc

SHA256
5c442c83bdfe942f59242879c12d4d72e08c5a6a68b6cc9593086b2aa698ba3e

SHA512
ddc9afdd79bbabace7be88bf2efbaf47896cd07e9cabd9aca0e57192e3778b71e508bf8a729a5f7afb844f2dcf3dffbd4f6ed12b8b932496a0218cf85bc304ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
cb0e7017549eb5e40dc987f30fe1a1b4

SHA1
d65d391adb45498812efd479dcd1ae0ea20d5b3f

SHA256
196ebb27151774d508e2a1351e8ce6ce99dea7348eaf9a7283964bd46b932b29

SHA512
cfb27a2328d6c925cdad26befb185d2a1ae42996f99eadf694532baee4da56b59a3e673f881574d1d1f83f8842354cb7d1f2118d4b93dac37d1acfc2f4c75f7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
cb0e7017549eb5e40dc987f30fe1a1b4

SHA1
d65d391adb45498812efd479dcd1ae0ea20d5b3f

SHA256
196ebb27151774d508e2a1351e8ce6ce99dea7348eaf9a7283964bd46b932b29

SHA512
cfb27a2328d6c925cdad26befb185d2a1ae42996f99eadf694532baee4da56b59a3e673f881574d1d1f83f8842354cb7d1f2118d4b93dac37d1acfc2f4c75f7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
bfea394d855d0f90746e09b390fa217c

SHA1
e67e8b7f3ef4d798d7578f966c5aef292cdb9cfc

SHA256
5c442c83bdfe942f59242879c12d4d72e08c5a6a68b6cc9593086b2aa698ba3e

SHA512
ddc9afdd79bbabace7be88bf2efbaf47896cd07e9cabd9aca0e57192e3778b71e508bf8a729a5f7afb844f2dcf3dffbd4f6ed12b8b932496a0218cf85bc304ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
bfea394d855d0f90746e09b390fa217c

SHA1
e67e8b7f3ef4d798d7578f966c5aef292cdb9cfc

SHA256
5c442c83bdfe942f59242879c12d4d72e08c5a6a68b6cc9593086b2aa698ba3e

SHA512
ddc9afdd79bbabace7be88bf2efbaf47896cd07e9cabd9aca0e57192e3778b71e508bf8a729a5f7afb844f2dcf3dffbd4f6ed12b8b932496a0218cf85bc304ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
bfea394d855d0f90746e09b390fa217c

SHA1
e67e8b7f3ef4d798d7578f966c5aef292cdb9cfc

SHA256
5c442c83bdfe942f59242879c12d4d72e08c5a6a68b6cc9593086b2aa698ba3e

SHA512
ddc9afdd79bbabace7be88bf2efbaf47896cd07e9cabd9aca0e57192e3778b71e508bf8a729a5f7afb844f2dcf3dffbd4f6ed12b8b932496a0218cf85bc304ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
bfea394d855d0f90746e09b390fa217c

SHA1
e67e8b7f3ef4d798d7578f966c5aef292cdb9cfc

SHA256
5c442c83bdfe942f59242879c12d4d72e08c5a6a68b6cc9593086b2aa698ba3e

SHA512
ddc9afdd79bbabace7be88bf2efbaf47896cd07e9cabd9aca0e57192e3778b71e508bf8a729a5f7afb844f2dcf3dffbd4f6ed12b8b932496a0218cf85bc304ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
db2fc9c2a2f1da990dc8b84fa985c920

SHA1
98bbbeb6a10036d3900e6c9c2e110fa7ca5a011c

SHA256
13a1a1fbc3529b386ceaee15b82574367fb8d1424532663ac63f82f7c7ad967d

SHA512
24cc2695d4c7515ac27094a5f112de0e928676f680f3a4d1f563c7a8da2a9c1e0a46dfcf10470c4dc686543bcd16c40f6c33157e4636b89bb82a8ba48f33fe99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
db2fc9c2a2f1da990dc8b84fa985c920

SHA1
98bbbeb6a10036d3900e6c9c2e110fa7ca5a011c

SHA256
13a1a1fbc3529b386ceaee15b82574367fb8d1424532663ac63f82f7c7ad967d

SHA512
24cc2695d4c7515ac27094a5f112de0e928676f680f3a4d1f563c7a8da2a9c1e0a46dfcf10470c4dc686543bcd16c40f6c33157e4636b89bb82a8ba48f33fe99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
8b2c96a031d50f7a40795fb2ca7b542f

SHA1
c5a914053ea74a8430d805a0e7203cdee535afc1

SHA256
f796be55c119d3ec7a3a4935c2c94cdcb6a75677193c5b43413dc253f2c7c70a

SHA512
ebdc1f22496ff92e847b84c73896471887a774e756ad0480f5b3c91a5513fc1370ebf9ac06b40412a2cfa61fd206877da3fbd2d8933c2f75a6a3588c33fedee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
8b2c96a031d50f7a40795fb2ca7b542f

SHA1
c5a914053ea74a8430d805a0e7203cdee535afc1

SHA256
f796be55c119d3ec7a3a4935c2c94cdcb6a75677193c5b43413dc253f2c7c70a

SHA512
ebdc1f22496ff92e847b84c73896471887a774e756ad0480f5b3c91a5513fc1370ebf9ac06b40412a2cfa61fd206877da3fbd2d8933c2f75a6a3588c33fedee9

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
d890903d39422aa301b90ad78d648434

SHA1
481d6bb9910e393018a181138a3e2000255bc316

SHA256
21b63d89ce68f247c23bec4d9a468a35ffc0aaa7015029483cb57dc8106852c3

SHA512
dc35e807569a0c47d51f8b558f56391b0ac6ebaf3ef73234ac86ceb3452d42e19c64e7fff104f845995bce073e1442561267e079393083e26d5aab868b8d525a

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
f64bdb75dcf663fa8302a165ff4827b1

SHA1
0f8aee7294f139412b0bc5b13ca001e7f471df9e

SHA256
0ce87ae0793de36106d55fd558268e7e75a127a3f1790b449bbe965633ab5c68

SHA512
80fe825e5e3f470e2987cf6cbeb44814e50ea1ec61f6ccec397c8f3922b4d82e0d27e05c7c3a9c6903d1067d84c422c830a63dca97d2a56039fbe81fca6d9020

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
f64bdb75dcf663fa8302a165ff4827b1

SHA1
0f8aee7294f139412b0bc5b13ca001e7f471df9e

SHA256
0ce87ae0793de36106d55fd558268e7e75a127a3f1790b449bbe965633ab5c68

SHA512
80fe825e5e3f470e2987cf6cbeb44814e50ea1ec61f6ccec397c8f3922b4d82e0d27e05c7c3a9c6903d1067d84c422c830a63dca97d2a56039fbe81fca6d9020

Download Submit
C:\Program Files\Internet Explorer\backup.exe

Filesize
72KB

MD5
e5d0954a9cc92a7b2eb15c68bcec1cb8

SHA1
20a36b62c52cf15b36499678803f76d4d9ee99cd

SHA256
45391b7af77cd2a7a58d7b9e6c83e9f119be05599ec2bf09b156dfc22e0d140e

SHA512
625f76be80e40b85aad30cccacc951b86ba36f0b7739a4cf9f11c186915af671c37d644c31171393a1bd7f13d51b018ef3d64e30887537dbec711bcb5a8488e9

Download Submit
C:\Program Files\Internet Explorer\backup.exe

Filesize
72KB

MD5
e5d0954a9cc92a7b2eb15c68bcec1cb8

SHA1
20a36b62c52cf15b36499678803f76d4d9ee99cd

SHA256
45391b7af77cd2a7a58d7b9e6c83e9f119be05599ec2bf09b156dfc22e0d140e

SHA512
625f76be80e40b85aad30cccacc951b86ba36f0b7739a4cf9f11c186915af671c37d644c31171393a1bd7f13d51b018ef3d64e30887537dbec711bcb5a8488e9

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
52a6566cf01fe41ac41649f130e6224b

SHA1
ad5a299797ccfb1cc66c53028ddeb4c814f3c55f

SHA256
df3a2c5bffb8ad97e644c7398fb85c3cdc774eb51dc575a50ad50a5ec9236262

SHA512
d6a1d9e96a9ca402b4b2d3f5b3892e9b8dd0e524393ec4c83a4159d889d5c0b736fa5d0c4a7be946c1828d478a2dcb32f4a9ed0ae985317c054389c666f49e9d

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
52a6566cf01fe41ac41649f130e6224b

SHA1
ad5a299797ccfb1cc66c53028ddeb4c814f3c55f

SHA256
df3a2c5bffb8ad97e644c7398fb85c3cdc774eb51dc575a50ad50a5ec9236262

SHA512
d6a1d9e96a9ca402b4b2d3f5b3892e9b8dd0e524393ec4c83a4159d889d5c0b736fa5d0c4a7be946c1828d478a2dcb32f4a9ed0ae985317c054389c666f49e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1769441070\backup.exe

Filesize
72KB

MD5
cf8288363d5e4035b9e75dc10dc53c9e

SHA1
b20083e947f8163d0ba51fdff36f2f301942eaf4

SHA256
036e259d8138813b3fb74effd1aa2e091df143d6dfa96ebec9085db2de6be31a

SHA512
2746fec46c55a7eae665878ffe6931a99a658d8ef910dff3a303e0e7e66c6f1fa955c6f950901feb0658fb2f1fd620a3121f5a86dd547550db415d7bc881aebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1769441070\backup.exe

Filesize
72KB

MD5
cf8288363d5e4035b9e75dc10dc53c9e

SHA1
b20083e947f8163d0ba51fdff36f2f301942eaf4

SHA256
036e259d8138813b3fb74effd1aa2e091df143d6dfa96ebec9085db2de6be31a

SHA512
2746fec46c55a7eae665878ffe6931a99a658d8ef910dff3a303e0e7e66c6f1fa955c6f950901feb0658fb2f1fd620a3121f5a86dd547550db415d7bc881aebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
cf8288363d5e4035b9e75dc10dc53c9e

SHA1
b20083e947f8163d0ba51fdff36f2f301942eaf4

SHA256
036e259d8138813b3fb74effd1aa2e091df143d6dfa96ebec9085db2de6be31a

SHA512
2746fec46c55a7eae665878ffe6931a99a658d8ef910dff3a303e0e7e66c6f1fa955c6f950901feb0658fb2f1fd620a3121f5a86dd547550db415d7bc881aebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
cf8288363d5e4035b9e75dc10dc53c9e

SHA1
b20083e947f8163d0ba51fdff36f2f301942eaf4

SHA256
036e259d8138813b3fb74effd1aa2e091df143d6dfa96ebec9085db2de6be31a

SHA512
2746fec46c55a7eae665878ffe6931a99a658d8ef910dff3a303e0e7e66c6f1fa955c6f950901feb0658fb2f1fd620a3121f5a86dd547550db415d7bc881aebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7a57920a411d384d9b8414d906a1e817

SHA1
8c56e4b3e26cd12b24902c2447624ee770bf3266

SHA256
9d3910edc904c9ae721b6b6a8237e7ab364495fb5778cd6887ab8f19a3d5ca26

SHA512
91b790fdbc1bb99e77bac02b749f4906ee3b0dce85eb5c6f4caef49abcd30b70b7d99d186893fd3d98fa12a45059ecff675edfaecab1c5bc80b50157d21f832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d98974a971243748ac6f5108ecbc9bd0

SHA1
c3656e7124d553c477f1c043bfa5f270c83b99f4

SHA256
641ade1b23209a1f670b0c7437b824aa8452f9d58941f2d2e50720708c6de6dd

SHA512
bb2ad54c66922dc8d61663dabdeb5d92c846924d3ee532bfb8452d23df21a0ece271d82f939fa7736ea52979bfc330eccb47bbe52ddf71167c53551ca8173b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d98974a971243748ac6f5108ecbc9bd0

SHA1
c3656e7124d553c477f1c043bfa5f270c83b99f4

SHA256
641ade1b23209a1f670b0c7437b824aa8452f9d58941f2d2e50720708c6de6dd

SHA512
bb2ad54c66922dc8d61663dabdeb5d92c846924d3ee532bfb8452d23df21a0ece271d82f939fa7736ea52979bfc330eccb47bbe52ddf71167c53551ca8173b3b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
141de29d1a9572ca00c9397519355bd3

SHA1
8091af200de42bcbe54436e8f6bec0b1e96d99bc

SHA256
09ecffb441d4f2a12e19970a12cdc5aa2d8e34b6a650474cc9e0c99edc5360e5

SHA512
193b7d6c6e31bbdac3b5fd1663f5a8c1ffb7d87b2d4413f7765b99d3e7854853a6b5a73f5e459cf8196e83d072e1ebf209587ec936d0ee3aa64b4f08199ff268

Download Submit
C:\backup.exe

Filesize
72KB

MD5
141de29d1a9572ca00c9397519355bd3

SHA1
8091af200de42bcbe54436e8f6bec0b1e96d99bc

SHA256
09ecffb441d4f2a12e19970a12cdc5aa2d8e34b6a650474cc9e0c99edc5360e5

SHA512
193b7d6c6e31bbdac3b5fd1663f5a8c1ffb7d87b2d4413f7765b99d3e7854853a6b5a73f5e459cf8196e83d072e1ebf209587ec936d0ee3aa64b4f08199ff268

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
52a6566cf01fe41ac41649f130e6224b

SHA1
ad5a299797ccfb1cc66c53028ddeb4c814f3c55f

SHA256
df3a2c5bffb8ad97e644c7398fb85c3cdc774eb51dc575a50ad50a5ec9236262

SHA512
d6a1d9e96a9ca402b4b2d3f5b3892e9b8dd0e524393ec4c83a4159d889d5c0b736fa5d0c4a7be946c1828d478a2dcb32f4a9ed0ae985317c054389c666f49e9d

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
52a6566cf01fe41ac41649f130e6224b

SHA1
ad5a299797ccfb1cc66c53028ddeb4c814f3c55f

SHA256
df3a2c5bffb8ad97e644c7398fb85c3cdc774eb51dc575a50ad50a5ec9236262

SHA512
d6a1d9e96a9ca402b4b2d3f5b3892e9b8dd0e524393ec4c83a4159d889d5c0b736fa5d0c4a7be946c1828d478a2dcb32f4a9ed0ae985317c054389c666f49e9d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads