b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985

Analysis

max time kernel
183s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe
Size

72KB
MD5

052f888a7780355ec80ba2d4445fa170
SHA1

008c43b6afe6449975c32316483fbeb4ff62bc4f
SHA256

b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985
SHA512

83a8200231bc4a1d6753b08a3ba095429b0dfe07addd58f72939c963dc0e3c22ec4d360194cbf2d2c2d9167f6225e8df54d64b64ac9564ce5ed5e4202545cb41
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2d:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPJ

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe

Executes dropped EXE 64 IoCs

pid	Process
968	backup.exe
5048	backup.exe
1244	backup.exe
4628	backup.exe
4144	backup.exe
4884	backup.exe
2484	backup.exe
220	backup.exe
228	backup.exe
4948	backup.exe
3868	backup.exe
3280	backup.exe
4860	backup.exe
1620	backup.exe
2340	backup.exe
1796	backup.exe
1484	backup.exe
4432	backup.exe
2944	backup.exe
1816	backup.exe
2212	backup.exe
1612	backup.exe
2336	data.exe
3388	backup.exe
2532	backup.exe
3736	backup.exe
4932	backup.exe
3236	System Restore.exe
1872	backup.exe
1932	backup.exe
1272	backup.exe
1500	backup.exe
3260	backup.exe
2828	backup.exe
1944	backup.exe
3324	backup.exe
2256	backup.exe
5052	System Restore.exe
4172	System Restore.exe
3096	backup.exe
1724	update.exe
4048	backup.exe
4440	backup.exe
1964	backup.exe
704	backup.exe
4476	backup.exe
5116	backup.exe
3772	backup.exe
488	backup.exe
1436	backup.exe
3348	backup.exe
3208	backup.exe
3396	backup.exe
4716	backup.exe
2112	backup.exe
2652	backup.exe
344	backup.exe
4504	backup.exe
3536	System Restore.exe
228	backup.exe
2480	data.exe
3940	backup.exe
4904	backup.exe
528	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe	backup.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe
968	backup.exe
5048	backup.exe
1244	backup.exe
4628	backup.exe
4144	backup.exe
4884	backup.exe
2484	backup.exe
228	backup.exe
220	backup.exe
4948	backup.exe
3868	backup.exe
3280	backup.exe
4860	backup.exe
1620	backup.exe
2340	backup.exe
1796	backup.exe
1484	backup.exe
4432	backup.exe
2944	backup.exe
1816	backup.exe
2212	backup.exe
1612	backup.exe
2336	data.exe
3388	backup.exe
2532	backup.exe
3736	backup.exe
4932	backup.exe
3236	System Restore.exe
1872	backup.exe
1932	backup.exe
1272	backup.exe
1500	backup.exe
3260	backup.exe
2828	backup.exe
1944	backup.exe
3324	backup.exe
2256	backup.exe
5052	System Restore.exe
4172	System Restore.exe
3096	backup.exe
4440	backup.exe
1964	backup.exe
4048	backup.exe
1724	update.exe
4476	backup.exe
704	backup.exe
5116	backup.exe
3772	backup.exe
488	backup.exe
1436	backup.exe
3348	backup.exe
3208	backup.exe
3396	backup.exe
4716	backup.exe
2652	backup.exe
344	backup.exe
2112	backup.exe
4504	backup.exe
3536	System Restore.exe
228	backup.exe
2480	data.exe
3940	backup.exe
4904	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 968	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	80
PID 4424 wrote to memory of 968	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	80
PID 4424 wrote to memory of 968	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	80
PID 4424 wrote to memory of 5048	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	81
PID 4424 wrote to memory of 5048	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	81
PID 4424 wrote to memory of 5048	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	81
PID 4424 wrote to memory of 1244	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	82
PID 4424 wrote to memory of 1244	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	82
PID 4424 wrote to memory of 1244	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	82
PID 4424 wrote to memory of 4628	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	83
PID 4424 wrote to memory of 4628	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	83
PID 4424 wrote to memory of 4628	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	83
PID 4424 wrote to memory of 4144	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	84
PID 4424 wrote to memory of 4144	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	84
PID 4424 wrote to memory of 4144	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	84
PID 4424 wrote to memory of 4884	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	85
PID 4424 wrote to memory of 4884	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	85
PID 4424 wrote to memory of 4884	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	85
PID 968 wrote to memory of 2484	968	backup.exe	86
PID 968 wrote to memory of 2484	968	backup.exe	86
PID 968 wrote to memory of 2484	968	backup.exe	86
PID 2484 wrote to memory of 220	2484	backup.exe	87
PID 2484 wrote to memory of 220	2484	backup.exe	87
PID 2484 wrote to memory of 220	2484	backup.exe	87
PID 4424 wrote to memory of 228	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	88
PID 4424 wrote to memory of 228	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	88
PID 4424 wrote to memory of 228	4424	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe	88
PID 2484 wrote to memory of 4948	2484	backup.exe	89
PID 2484 wrote to memory of 4948	2484	backup.exe	89
PID 2484 wrote to memory of 4948	2484	backup.exe	89
PID 2484 wrote to memory of 3868	2484	backup.exe	90
PID 2484 wrote to memory of 3868	2484	backup.exe	90
PID 2484 wrote to memory of 3868	2484	backup.exe	90
PID 3868 wrote to memory of 3280	3868	backup.exe	91
PID 3868 wrote to memory of 3280	3868	backup.exe	91
PID 3868 wrote to memory of 3280	3868	backup.exe	91
PID 3280 wrote to memory of 4860	3280	backup.exe	92
PID 3280 wrote to memory of 4860	3280	backup.exe	92
PID 3280 wrote to memory of 4860	3280	backup.exe	92
PID 3868 wrote to memory of 1620	3868	backup.exe	93
PID 3868 wrote to memory of 1620	3868	backup.exe	93
PID 3868 wrote to memory of 1620	3868	backup.exe	93
PID 1620 wrote to memory of 2340	1620	backup.exe	94
PID 1620 wrote to memory of 2340	1620	backup.exe	94
PID 1620 wrote to memory of 2340	1620	backup.exe	94
PID 1620 wrote to memory of 1796	1620	backup.exe	95
PID 1620 wrote to memory of 1796	1620	backup.exe	95
PID 1620 wrote to memory of 1796	1620	backup.exe	95
PID 1796 wrote to memory of 1484	1796	backup.exe	96
PID 1796 wrote to memory of 1484	1796	backup.exe	96
PID 1796 wrote to memory of 1484	1796	backup.exe	96
PID 1796 wrote to memory of 4432	1796	backup.exe	97
PID 1796 wrote to memory of 4432	1796	backup.exe	97
PID 1796 wrote to memory of 4432	1796	backup.exe	97
PID 4432 wrote to memory of 2944	4432	backup.exe	98
PID 4432 wrote to memory of 2944	4432	backup.exe	98
PID 4432 wrote to memory of 2944	4432	backup.exe	98
PID 4432 wrote to memory of 1816	4432	backup.exe	99
PID 4432 wrote to memory of 1816	4432	backup.exe	99
PID 4432 wrote to memory of 1816	4432	backup.exe	99
PID 4432 wrote to memory of 2212	4432	backup.exe	100
PID 4432 wrote to memory of 2212	4432	backup.exe	100
PID 4432 wrote to memory of 2212	4432	backup.exe	100
PID 4432 wrote to memory of 1612	4432	backup.exe	101

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe
"C:\Users\Admin\AppData\Local\Temp\b63077d5880f171ad30ddfb619694b3fde2e2b15b9dafcfdb2e197e566bb3985.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4424
- C:\Users\Admin\AppData\Local\Temp\2369443192\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2369443192\backup.exe C:\Users\Admin\AppData\Local\Temp\2369443192\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:220
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4948
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4860
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1620
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4432
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2212
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3388
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2532
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3736
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4932
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3236
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1872
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3324
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5052
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3772
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2112
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        System policy modification
        
        PID:528
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1504
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\data.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4236
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:1284
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        System policy modification
        
        PID:3696
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3928
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        System policy modification
        
        PID:2644
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:1100
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:4112
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:1272
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3312
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:1644
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        System policy modification
        
        PID:1432
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4540
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4048
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1436
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2652
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:924
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:984
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:4244
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1740
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3632
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4940
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4312
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:2756
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4820
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:60
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:4960
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:1100
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        System policy modification
        
        PID:2760
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3096
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:488
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4716
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1484
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        System policy modification
        
        PID:2760
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2632
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:4424
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4356
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4816
        
        C:\Program Files\Common Files\System\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\en-US\System Restore.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:3640
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:3108
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:3880
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        
        PID:820
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Program Files\Common Files\System\msadc\de-DE\data.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\data.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4908
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1736
    - - C:\Program Files\Google\System Restore.exe
        
        "C:\Program Files\Google\System Restore.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4172
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3396
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:228
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        System policy modification
        
        PID:5060
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1424
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:980
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3992
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1664
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1432
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2480
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:4656
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        System policy modification
        
        PID:4372
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4060
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:3636
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:3676
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3120
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:404
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:3592
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1096
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:4648
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        System policy modification
        
        PID:4964
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        System policy modification
        
        PID:3084
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:4816
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2208
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        Drops file in Program Files directory
        
        PID:1476
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:2756
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:2044
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4584
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1544
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4976
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:3696
  - - C:\Program Files (x86)\update.exe
      "C:\Program Files (x86)\update.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1724
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5116
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:344
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3588
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3300
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:3444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:2272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:3760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        System policy modification
        
        PID:3500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        System policy modification
        
        PID:3032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:4948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Drops file in Program Files directory
        
        PID:4748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:3732
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:2424
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:1656
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        
        PID:3848
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        System policy modification
        
        PID:3280
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\data.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:1044
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4444
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4076
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Drops file in Program Files directory
        
        PID:3596
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2820
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2516
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4012
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3712
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:2784
      - C:\Program Files (x86)\Google\Temp\System Restore.exe
        
        "C:\Program Files (x86)\Google\Temp\System Restore.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:3208
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:3480
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:3252
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2780
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:2656
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3092
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Disables RegEdit via registry modification
        
        PID:760
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:1856
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1736
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3104
      - C:\Users\Admin\Downloads\data.exe
        
        C:\Users\Admin\Downloads\data.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3928
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3920
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:3996
      - C:\Users\Admin\Music\System Restore.exe
        
        "C:\Users\Admin\Music\System Restore.exe" C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4512
      - C:\Users\Admin\OneDrive\data.exe
        
        C:\Users\Admin\OneDrive\data.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:4460
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:4244
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3656
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2032
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2348
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:4048
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3620
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4340
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:2772
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:32
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2540
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:2092
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4144
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:228

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
1⤵
- Disables RegEdit via registry modification
- System policy modification
PID:432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
1⤵
- Disables RegEdit via registry modification
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0e768841976a1862a7046bf90ae12309

SHA1
212bf53ff8b0cfba9627c20850482e4187cde310

SHA256
9068aae2bf382ca2adbff39b1fcc4614ef5bd0d4ceb82cd7aafc7d7d7224fde9

SHA512
c534a0984b27782d1f17522a27d15e337ebadc67b357fdedcb85e5ed5695115ac0b3d249792d9a6cc35d35ec97e1bdeed257fde4aace14fbaa0cc15590a51813

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0e768841976a1862a7046bf90ae12309

SHA1
212bf53ff8b0cfba9627c20850482e4187cde310

SHA256
9068aae2bf382ca2adbff39b1fcc4614ef5bd0d4ceb82cd7aafc7d7d7224fde9

SHA512
c534a0984b27782d1f17522a27d15e337ebadc67b357fdedcb85e5ed5695115ac0b3d249792d9a6cc35d35ec97e1bdeed257fde4aace14fbaa0cc15590a51813

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
921515ff4b2335e6e85250a879c83b11

SHA1
aa69188bb318109d0945c1f73cc812a34c667fc9

SHA256
0ad7bad267a5c08ee21f850a4d187b40e06771c925e38b1f3727d5e6c3ecefdc

SHA512
f736016831fedbc4de56878753b0394944686c428d0b20db3013db3d83f57ea5705bc9c53b842d51dcf255c03d690c00afa1a5772c8ef587c802fa61a91707bb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
921515ff4b2335e6e85250a879c83b11

SHA1
aa69188bb318109d0945c1f73cc812a34c667fc9

SHA256
0ad7bad267a5c08ee21f850a4d187b40e06771c925e38b1f3727d5e6c3ecefdc

SHA512
f736016831fedbc4de56878753b0394944686c428d0b20db3013db3d83f57ea5705bc9c53b842d51dcf255c03d690c00afa1a5772c8ef587c802fa61a91707bb

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ce5684a08a4edf7a4a81b5012f0c4966

SHA1
a36c18ed8b7f4ada4264c8342c90df0bb0448f76

SHA256
b4e6a79a4051b3e6e9a7e1e24180144931d8dbbe524f0ce59c307e2212af7acf

SHA512
a7a3548be9fe24db575a58eb2e3ba9ffb4215d854d58f2fa02c6830649ddc4266b32d571218fd335caf26a00148791bdea4cd80fc3f425360cb39e6f4f7a3fa8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ce5684a08a4edf7a4a81b5012f0c4966

SHA1
a36c18ed8b7f4ada4264c8342c90df0bb0448f76

SHA256
b4e6a79a4051b3e6e9a7e1e24180144931d8dbbe524f0ce59c307e2212af7acf

SHA512
a7a3548be9fe24db575a58eb2e3ba9ffb4215d854d58f2fa02c6830649ddc4266b32d571218fd335caf26a00148791bdea4cd80fc3f425360cb39e6f4f7a3fa8

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
921515ff4b2335e6e85250a879c83b11

SHA1
aa69188bb318109d0945c1f73cc812a34c667fc9

SHA256
0ad7bad267a5c08ee21f850a4d187b40e06771c925e38b1f3727d5e6c3ecefdc

SHA512
f736016831fedbc4de56878753b0394944686c428d0b20db3013db3d83f57ea5705bc9c53b842d51dcf255c03d690c00afa1a5772c8ef587c802fa61a91707bb

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
921515ff4b2335e6e85250a879c83b11

SHA1
aa69188bb318109d0945c1f73cc812a34c667fc9

SHA256
0ad7bad267a5c08ee21f850a4d187b40e06771c925e38b1f3727d5e6c3ecefdc

SHA512
f736016831fedbc4de56878753b0394944686c428d0b20db3013db3d83f57ea5705bc9c53b842d51dcf255c03d690c00afa1a5772c8ef587c802fa61a91707bb

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ce5684a08a4edf7a4a81b5012f0c4966

SHA1
a36c18ed8b7f4ada4264c8342c90df0bb0448f76

SHA256
b4e6a79a4051b3e6e9a7e1e24180144931d8dbbe524f0ce59c307e2212af7acf

SHA512
a7a3548be9fe24db575a58eb2e3ba9ffb4215d854d58f2fa02c6830649ddc4266b32d571218fd335caf26a00148791bdea4cd80fc3f425360cb39e6f4f7a3fa8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
ce5684a08a4edf7a4a81b5012f0c4966

SHA1
a36c18ed8b7f4ada4264c8342c90df0bb0448f76

SHA256
b4e6a79a4051b3e6e9a7e1e24180144931d8dbbe524f0ce59c307e2212af7acf

SHA512
a7a3548be9fe24db575a58eb2e3ba9ffb4215d854d58f2fa02c6830649ddc4266b32d571218fd335caf26a00148791bdea4cd80fc3f425360cb39e6f4f7a3fa8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
b10755ab517105c0140309c27d33cc3c

SHA1
8ddb1b947e3d25a9deec377cd6cb29c021c602e5

SHA256
88dec16e69ee44e9e83876f8275cbcc647ecea85d840fba8787df71fd27e8d1a

SHA512
4673771b1a7d8174f4666247ee09a80200497896c0ad8988e94be731c0fd121e9c1c2707d0b4f6ba7077958cc11e848b0581fd6970fe8f7c1cfc6000f8470d46

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
b10755ab517105c0140309c27d33cc3c

SHA1
8ddb1b947e3d25a9deec377cd6cb29c021c602e5

SHA256
88dec16e69ee44e9e83876f8275cbcc647ecea85d840fba8787df71fd27e8d1a

SHA512
4673771b1a7d8174f4666247ee09a80200497896c0ad8988e94be731c0fd121e9c1c2707d0b4f6ba7077958cc11e848b0581fd6970fe8f7c1cfc6000f8470d46

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
d3c61385ccfbb0b376f32f7fb41f1097

SHA1
ceb0bdf1d6541f4394bf1a6659148e58f1d83069

SHA256
850e955dc2426d132cc1632ac3386cf3ef9a98bbf7c0ffbec29905231e71c302

SHA512
24b22bf828ecc8ba2e9387857544d19c63c315583b94ccba07cbd643f5dcecfcfd03b6990fe2f2a34f57da49d12f034b9b361a7c0d5923aaf953503fc183c72f

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
d3c61385ccfbb0b376f32f7fb41f1097

SHA1
ceb0bdf1d6541f4394bf1a6659148e58f1d83069

SHA256
850e955dc2426d132cc1632ac3386cf3ef9a98bbf7c0ffbec29905231e71c302

SHA512
24b22bf828ecc8ba2e9387857544d19c63c315583b94ccba07cbd643f5dcecfcfd03b6990fe2f2a34f57da49d12f034b9b361a7c0d5923aaf953503fc183c72f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
654891ecd081d7b3243d64a2f1322d06

SHA1
b23f50a2f012e60951b2521fc5f4bdbf0571f84f

SHA256
b6416994c403d698ab65b69a26d70d7dcbb86f2b16c97670f34414cc288f0ce6

SHA512
331616ce920f2351bdebb0a8d92c29d29d1993708a007265bb190a79ca63b82c063a4f89d6ec1d85d2b6e0420c98e7c23e55c9da3a756c9d8fb1e21efbfefba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
654891ecd081d7b3243d64a2f1322d06

SHA1
b23f50a2f012e60951b2521fc5f4bdbf0571f84f

SHA256
b6416994c403d698ab65b69a26d70d7dcbb86f2b16c97670f34414cc288f0ce6

SHA512
331616ce920f2351bdebb0a8d92c29d29d1993708a007265bb190a79ca63b82c063a4f89d6ec1d85d2b6e0420c98e7c23e55c9da3a756c9d8fb1e21efbfefba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b10755ab517105c0140309c27d33cc3c

SHA1
8ddb1b947e3d25a9deec377cd6cb29c021c602e5

SHA256
88dec16e69ee44e9e83876f8275cbcc647ecea85d840fba8787df71fd27e8d1a

SHA512
4673771b1a7d8174f4666247ee09a80200497896c0ad8988e94be731c0fd121e9c1c2707d0b4f6ba7077958cc11e848b0581fd6970fe8f7c1cfc6000f8470d46

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b10755ab517105c0140309c27d33cc3c

SHA1
8ddb1b947e3d25a9deec377cd6cb29c021c602e5

SHA256
88dec16e69ee44e9e83876f8275cbcc647ecea85d840fba8787df71fd27e8d1a

SHA512
4673771b1a7d8174f4666247ee09a80200497896c0ad8988e94be731c0fd121e9c1c2707d0b4f6ba7077958cc11e848b0581fd6970fe8f7c1cfc6000f8470d46

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
654891ecd081d7b3243d64a2f1322d06

SHA1
b23f50a2f012e60951b2521fc5f4bdbf0571f84f

SHA256
b6416994c403d698ab65b69a26d70d7dcbb86f2b16c97670f34414cc288f0ce6

SHA512
331616ce920f2351bdebb0a8d92c29d29d1993708a007265bb190a79ca63b82c063a4f89d6ec1d85d2b6e0420c98e7c23e55c9da3a756c9d8fb1e21efbfefba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
654891ecd081d7b3243d64a2f1322d06

SHA1
b23f50a2f012e60951b2521fc5f4bdbf0571f84f

SHA256
b6416994c403d698ab65b69a26d70d7dcbb86f2b16c97670f34414cc288f0ce6

SHA512
331616ce920f2351bdebb0a8d92c29d29d1993708a007265bb190a79ca63b82c063a4f89d6ec1d85d2b6e0420c98e7c23e55c9da3a756c9d8fb1e21efbfefba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
dcc06285647e216c1f783132b81cffe9

SHA1
500430faad914dd769bb429a36d017fb015066c9

SHA256
f299c3fde4f8adfdcae8850c396ba6f4f4a0bd823fe9879142ff810889c059d2

SHA512
e783fb1fb76bf70d3a85dea2036a516e3458526f6401fcfb5875fc6b5ac468d904d39c0eb3bfea526c3c6934b58da66354fc7dbc2cb5ab85ef11d86d90e63801

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
b767455cbb458db1aacbf05c2d66d4e1

SHA1
0f094aba49d6f74ba6f0842c9388fefc9a67f576

SHA256
b27dde3d0e2cbd3b73aac7c177ee18ecc312b93014942ad87e342d8825b4f56b

SHA512
cd4d0eb042a374302db764f5f4b55acba319b226530f968d6a6da63ba5e601d4d0f542f7e3b4c947ccc4f64f6e7a97e17c927cafafe40d0da7fcd0388413cc00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
d4614ac2d30bb9e050152a03ad56b216

SHA1
a311ebfcf26aa41ca36f57028294fceeb25ebc0c

SHA256
d7fb58233f2e5205c54598cf22566fed475dbd9cdf0658d065964b5f3d8f37ee

SHA512
e55d6dbb01c4c73584995f14f7b94a015e20104fbb3b96211246fcbf40089ff0c758754394941da2ec2d69bd7baa9d18b13745b8f9322b0be1960d3dff21c224

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
d4614ac2d30bb9e050152a03ad56b216

SHA1
a311ebfcf26aa41ca36f57028294fceeb25ebc0c

SHA256
d7fb58233f2e5205c54598cf22566fed475dbd9cdf0658d065964b5f3d8f37ee

SHA512
e55d6dbb01c4c73584995f14f7b94a015e20104fbb3b96211246fcbf40089ff0c758754394941da2ec2d69bd7baa9d18b13745b8f9322b0be1960d3dff21c224

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3e402690215894cbf436e782cc6649ad

SHA1
6e80c339f6b79705b6e3ace904814dbdca7ab656

SHA256
b56060844335fc8f9ed6c36b92614a41e460abaeb1c06f76494ee27ed829b54b

SHA512
28e793022c1280dd2a45de1622ac1eea693ea9e8d2bb4c85f67f1645ebfe3a8fdac3219a1d870efa03dce48b0b79eab600d9adf3207cf524196d315802499657

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3e402690215894cbf436e782cc6649ad

SHA1
6e80c339f6b79705b6e3ace904814dbdca7ab656

SHA256
b56060844335fc8f9ed6c36b92614a41e460abaeb1c06f76494ee27ed829b54b

SHA512
28e793022c1280dd2a45de1622ac1eea693ea9e8d2bb4c85f67f1645ebfe3a8fdac3219a1d870efa03dce48b0b79eab600d9adf3207cf524196d315802499657

Download Submit
C:\Users\Admin\AppData\Local\Temp\2369443192\backup.exe

Filesize
72KB

MD5
a9dcfb155bd9b47a21e0347d18244ef7

SHA1
3e34af7b103dc52604763722af6823250ad7ccae

SHA256
d359eeb3b7f771de181846088b209325a8aaafc5d1ec0ad7759ee030f3fedd92

SHA512
2ce0c794f06d1b5f7214b606da3e84d415c878a718a5a7561b788aae38130969c9517302a5af5a33f2079215d86c1dee519c914a6bfa953f6d1adaad95201cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2369443192\backup.exe

Filesize
72KB

MD5
a9dcfb155bd9b47a21e0347d18244ef7

SHA1
3e34af7b103dc52604763722af6823250ad7ccae

SHA256
d359eeb3b7f771de181846088b209325a8aaafc5d1ec0ad7759ee030f3fedd92

SHA512
2ce0c794f06d1b5f7214b606da3e84d415c878a718a5a7561b788aae38130969c9517302a5af5a33f2079215d86c1dee519c914a6bfa953f6d1adaad95201cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
7e3a386e549aedee83b9b8aed5374eef

SHA1
5b425076911dba4ab207adf0930889de5af8743e

SHA256
6b6ee549bc9e77b22bb190bb5b00afd9778284b57e1c1f78d171efa8c59978c1

SHA512
293d656a4e4a6f59f01a4c1891eafe585c896c96d456b48f39a86fa97292528fe513751192bf97d4e2a172bf1ec1fdfbfe5332191efdeeffba75fc48cdc9061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
7e3a386e549aedee83b9b8aed5374eef

SHA1
5b425076911dba4ab207adf0930889de5af8743e

SHA256
6b6ee549bc9e77b22bb190bb5b00afd9778284b57e1c1f78d171efa8c59978c1

SHA512
293d656a4e4a6f59f01a4c1891eafe585c896c96d456b48f39a86fa97292528fe513751192bf97d4e2a172bf1ec1fdfbfe5332191efdeeffba75fc48cdc9061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
711e2de65d2f2e20d7b32d7be0b22a4f

SHA1
7e310a1fc8ac934677c6aabb647828ea8510aeba

SHA256
0203ec947379423816a3cf27d70cf7226115add18c953b5f6e1ede27800ab1f9

SHA512
8eb2aa0d5af72da2455afc2635ed611abf911dcca4eb83f542d1cded12fd984d58bdf7e33ab7b5f560eff0d908b593d34b33fe6d8b5c289e63f2e2ddb604a46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
81420386e70382edaf66511271944868

SHA1
61ce56c6914c586471c89386c3cd4b4271d6c1cd

SHA256
9cfc634e616893463d879d4df8b5d273a58c97738f78d4a111975591daff022a

SHA512
373dbaf2c8fc9dbda2219e881bdf12f77691073eea1e5d88aaee4b0193c1d013cc96362a76fbaeeba0a24b552096afb0ee35512b980ab94bc97bb433a470712b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
81420386e70382edaf66511271944868

SHA1
61ce56c6914c586471c89386c3cd4b4271d6c1cd

SHA256
9cfc634e616893463d879d4df8b5d273a58c97738f78d4a111975591daff022a

SHA512
373dbaf2c8fc9dbda2219e881bdf12f77691073eea1e5d88aaee4b0193c1d013cc96362a76fbaeeba0a24b552096afb0ee35512b980ab94bc97bb433a470712b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
594ade5f68b6c453a82442a62ed7d9fe

SHA1
e0fe718cbce8f8b1f4da29dafac3f6fb7a7fdb80

SHA256
7633cb872fcc076d34e266abe01f9472e19e897df0d5a2b141b97920d171bc0c

SHA512
bfcb562fc5f6cce8724fb3e6ae8f63cd6cd9e757f64a3c12c1d92dfa881bc29859be2c75ca5193774e9f8d1a9903c1a6ffd8448f3482f6a2d142e7727348ac83

Download Submit
C:\backup.exe

Filesize
72KB

MD5
594ade5f68b6c453a82442a62ed7d9fe

SHA1
e0fe718cbce8f8b1f4da29dafac3f6fb7a7fdb80

SHA256
7633cb872fcc076d34e266abe01f9472e19e897df0d5a2b141b97920d171bc0c

SHA512
bfcb562fc5f6cce8724fb3e6ae8f63cd6cd9e757f64a3c12c1d92dfa881bc29859be2c75ca5193774e9f8d1a9903c1a6ffd8448f3482f6a2d142e7727348ac83

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
0e768841976a1862a7046bf90ae12309

SHA1
212bf53ff8b0cfba9627c20850482e4187cde310

SHA256
9068aae2bf382ca2adbff39b1fcc4614ef5bd0d4ceb82cd7aafc7d7d7224fde9

SHA512
c534a0984b27782d1f17522a27d15e337ebadc67b357fdedcb85e5ed5695115ac0b3d249792d9a6cc35d35ec97e1bdeed257fde4aace14fbaa0cc15590a51813

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
0e768841976a1862a7046bf90ae12309

SHA1
212bf53ff8b0cfba9627c20850482e4187cde310

SHA256
9068aae2bf382ca2adbff39b1fcc4614ef5bd0d4ceb82cd7aafc7d7d7224fde9

SHA512
c534a0984b27782d1f17522a27d15e337ebadc67b357fdedcb85e5ed5695115ac0b3d249792d9a6cc35d35ec97e1bdeed257fde4aace14fbaa0cc15590a51813

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads