583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e

Analysis

max time kernel
204s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe
Size

72KB
MD5

0e596f4280ba22d787dbb365aecee56b
SHA1

8c02d4bce2bd51a2fc65a4ebc213b7440e2454c9
SHA256

583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e
SHA512

278dc953f920be130127a9a961bfe989dda791e4462fec473b9b8056f62eaa5190cb13c64c5b3ae5bdf062e090a3ce7ea8d7c74ece1493c266b4b5d4856d430c
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2N:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrB

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4812	backup.exe
3328	backup.exe
5068	data.exe
4712	backup.exe
4620	backup.exe
2196	backup.exe
2436	backup.exe
1320	backup.exe
1444	backup.exe
4080	backup.exe
1504	backup.exe
4184	System Restore.exe
3780	backup.exe
216	backup.exe
3032	backup.exe
4304	backup.exe
3848	backup.exe
3116	backup.exe
2776	backup.exe
4904	backup.exe
4588	backup.exe
3096	backup.exe
2100	backup.exe
4832	backup.exe
3880	backup.exe
2784	backup.exe
4368	backup.exe
1540	backup.exe
3708	backup.exe
2696	backup.exe
4176	backup.exe
5088	backup.exe
4036	backup.exe
1980	backup.exe
4144	backup.exe
4212	update.exe
2384	backup.exe
948	backup.exe
4996	backup.exe
1748	backup.exe
2248	backup.exe
3396	backup.exe
4852	backup.exe
4320	backup.exe
3568	backup.exe
2268	backup.exe
1572	backup.exe
1276	backup.exe
2352	backup.exe
3044	backup.exe
3472	backup.exe
1396	backup.exe
884	backup.exe
888	backup.exe
984	data.exe
4700	backup.exe
4172	System Restore.exe
3592	backup.exe
808	backup.exe
3536	backup.exe
2992	backup.exe
4732	backup.exe
3944	backup.exe
3444	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\data.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\System Restore.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\data.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe
4812	backup.exe
3328	backup.exe
5068	data.exe
4712	backup.exe
4620	backup.exe
2196	backup.exe
2436	backup.exe
1320	backup.exe
1444	backup.exe
4080	backup.exe
1504	backup.exe
4184	System Restore.exe
3780	backup.exe
216	backup.exe
3032	backup.exe
4304	backup.exe
3848	backup.exe
3116	backup.exe
2776	backup.exe
4904	backup.exe
4588	backup.exe
3096	backup.exe
2100	backup.exe
4832	backup.exe
3880	backup.exe
2784	backup.exe
4368	backup.exe
1540	backup.exe
3708	backup.exe
2696	backup.exe
4176	backup.exe
5088	backup.exe
4036	backup.exe
1980	backup.exe
2384	backup.exe
4212	update.exe
4144	backup.exe
948	backup.exe
4996	backup.exe
2248	backup.exe
3396	backup.exe
1748	backup.exe
4852	backup.exe
4320	backup.exe
3568	backup.exe
2268	backup.exe
1572	backup.exe
1276	backup.exe
2352	backup.exe
3472	backup.exe
3044	backup.exe
1396	backup.exe
884	backup.exe
888	backup.exe
4700	backup.exe
984	data.exe
4172	System Restore.exe
3592	backup.exe
808	backup.exe
3536	backup.exe
4732	backup.exe
2992	backup.exe
3944	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4812	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	77
PID 1668 wrote to memory of 4812	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	77
PID 1668 wrote to memory of 4812	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	77
PID 1668 wrote to memory of 3328	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	78
PID 1668 wrote to memory of 3328	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	78
PID 1668 wrote to memory of 3328	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	78
PID 1668 wrote to memory of 5068	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	79
PID 1668 wrote to memory of 5068	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	79
PID 1668 wrote to memory of 5068	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	79
PID 1668 wrote to memory of 4712	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	80
PID 1668 wrote to memory of 4712	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	80
PID 1668 wrote to memory of 4712	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	80
PID 4812 wrote to memory of 4620	4812	backup.exe	81
PID 4812 wrote to memory of 4620	4812	backup.exe	81
PID 4812 wrote to memory of 4620	4812	backup.exe	81
PID 1668 wrote to memory of 2196	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	82
PID 1668 wrote to memory of 2196	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	82
PID 1668 wrote to memory of 2196	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	82
PID 4620 wrote to memory of 2436	4620	backup.exe	83
PID 4620 wrote to memory of 2436	4620	backup.exe	83
PID 4620 wrote to memory of 2436	4620	backup.exe	83
PID 4620 wrote to memory of 1320	4620	backup.exe	84
PID 4620 wrote to memory of 1320	4620	backup.exe	84
PID 4620 wrote to memory of 1320	4620	backup.exe	84
PID 1668 wrote to memory of 1444	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	85
PID 1668 wrote to memory of 1444	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	85
PID 1668 wrote to memory of 1444	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	85
PID 4620 wrote to memory of 4080	4620	backup.exe	86
PID 4620 wrote to memory of 4080	4620	backup.exe	86
PID 4620 wrote to memory of 4080	4620	backup.exe	86
PID 1668 wrote to memory of 1504	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	87
PID 1668 wrote to memory of 1504	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	87
PID 1668 wrote to memory of 1504	1668	583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe	87
PID 4080 wrote to memory of 4184	4080	backup.exe	88
PID 4080 wrote to memory of 4184	4080	backup.exe	88
PID 4080 wrote to memory of 4184	4080	backup.exe	88
PID 4184 wrote to memory of 3780	4184	System Restore.exe	89
PID 4184 wrote to memory of 3780	4184	System Restore.exe	89
PID 4184 wrote to memory of 3780	4184	System Restore.exe	89
PID 4080 wrote to memory of 216	4080	backup.exe	90
PID 4080 wrote to memory of 216	4080	backup.exe	90
PID 4080 wrote to memory of 216	4080	backup.exe	90
PID 216 wrote to memory of 3032	216	backup.exe	91
PID 216 wrote to memory of 3032	216	backup.exe	91
PID 216 wrote to memory of 3032	216	backup.exe	91
PID 216 wrote to memory of 4304	216	backup.exe	92
PID 216 wrote to memory of 4304	216	backup.exe	92
PID 216 wrote to memory of 4304	216	backup.exe	92
PID 4304 wrote to memory of 3848	4304	backup.exe	93
PID 4304 wrote to memory of 3848	4304	backup.exe	93
PID 4304 wrote to memory of 3848	4304	backup.exe	93
PID 4304 wrote to memory of 3116	4304	backup.exe	94
PID 4304 wrote to memory of 3116	4304	backup.exe	94
PID 4304 wrote to memory of 3116	4304	backup.exe	94
PID 3116 wrote to memory of 2776	3116	backup.exe	95
PID 3116 wrote to memory of 2776	3116	backup.exe	95
PID 3116 wrote to memory of 2776	3116	backup.exe	95
PID 3116 wrote to memory of 4904	3116	backup.exe	96
PID 3116 wrote to memory of 4904	3116	backup.exe	96
PID 3116 wrote to memory of 4904	3116	backup.exe	96
PID 3116 wrote to memory of 4588	3116	backup.exe	97
PID 3116 wrote to memory of 4588	3116	backup.exe	97
PID 3116 wrote to memory of 4588	3116	backup.exe	97
PID 3116 wrote to memory of 3096	3116	backup.exe	98

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe
"C:\Users\Admin\AppData\Local\Temp\583492cb324740cd9dd2a85eb03df3815c3e123f9e6e61a455d6b8ac7a26737e.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\3914382429\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3914382429\backup.exe C:\Users\Admin\AppData\Local\Temp\3914382429\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2436
    - - C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        5⤵
        
        PID:2304
      - C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1648
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1320
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Program Files\7-Zip\System Restore.exe
        
        "C:\Program Files\7-Zip\System Restore.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4184
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3780
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3848
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2776
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4832
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3880
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2784
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4368
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5088
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4212
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3472
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3944
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        System policy modification
        
        PID:4556
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4060
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        System policy modification
        
        PID:2968
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:3460
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:3004
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:3120
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:728
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:4284
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:4648
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:4092
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:1272
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5068
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:3328
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:1924
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:2784
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:4536
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4980
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1424
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1104
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:4828
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2260
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4776
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        System policy modification
        
        PID:3948
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:1144
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:616
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4176
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4320
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3568
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:808
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3536
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:4132
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\update.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:5008
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:3780
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:3848
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4892
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4140
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:3244
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:528
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:948
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2436
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:4788
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:3836
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4036
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4996
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2212
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:3764
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4972
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:3644
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Program Files\Common Files\System\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ja-JP\update.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:3292
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2532
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4808
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1880
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:112
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3864
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:4332
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        System policy modification
        
        PID:4772
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:460
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2540
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4832
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:3804
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3708
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4144
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3396
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Disables RegEdit via registry modification
        
        PID:428
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:228
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:4576
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2776
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:3212
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:4712
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3348
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4536
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2488
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:1148
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:5012
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:3000
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:800
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:4180
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:4988
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4084
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        System policy modification
        
        PID:4328
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4500
      - C:\Program Files\Java\jdk1.8.0_66\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\data.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4280
        
        C:\Program Files\Java\jdk1.8.0_66\include\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\update.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3708
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2716
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:2428
        
        C:\Program Files\Java\jdk1.8.0_66\jre\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\data.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:4960
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:112
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1164
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:3608
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:1500
        
        C:\Program Files\Microsoft Office\root\Client\data.exe
        
        "C:\Program Files\Microsoft Office\root\Client\data.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        System policy modification
        
        PID:3292
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:2476
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:3420
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:2976
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4976
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4348
        
        C:\Program Files\Microsoft Office\root\Integration\update.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\update.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:3112
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2696
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4700
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:3444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:4420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:3696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:4356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Drops file in Program Files directory
        
        PID:772
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:3544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:4088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        System policy modification
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:1428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:4936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        System policy modification
        
        PID:5044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Drops file in Program Files directory
        
        PID:5068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:3960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:4032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Drops file in Program Files directory
        
        PID:4348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        System policy modification
        
        PID:4052
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:348
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4116
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1276
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:5032
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\update.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5100
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2816
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:2684
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:4724
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1628
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        Disables RegEdit via registry modification
        
        PID:4472
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        System policy modification
        
        PID:1640
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4404
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:3032
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:216
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:3236
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2288
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5020
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:3964
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:4732
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:3280
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Drops file in Program Files directory
        
        PID:636
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        System policy modification
        
        PID:3444
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:3016
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2208
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1572
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4764
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:4132
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:4928
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:4704
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:5100
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:4364
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5080
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:4704
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3884
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:3696
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        System policy modification
        
        PID:3440
        
        C:\Program Files (x86)\Google\Update\Download\data.exe
        
        "C:\Program Files (x86)\Google\Update\Download\data.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2152
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\data.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\data.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:5000
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4660
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        System policy modification
        
        PID:5008
        
        C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:3540
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3108
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3888
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2288
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3096
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:936
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:4980
      - C:\Users\Admin\Favorites\data.exe
        
        C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2444
      - C:\Users\Admin\Links\update.exe
        
        C:\Users\Admin\Links\update.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2028
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:4372
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:2408
      - C:\Users\Admin\Pictures\data.exe
        
        C:\Users\Admin\Pictures\data.exe C:\Users\Admin\Pictures\
        6⤵
        System policy modification
        
        PID:2112
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4332
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3980
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        System policy modification
        
        PID:2648
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:804
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3660
      - C:\Users\Public\Downloads\update.exe
        
        C:\Users\Public\Downloads\update.exe C:\Users\Public\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1876
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:5020
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1836
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:664
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:1180
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:1176
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:3876
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1156
      - C:\Windows\apppatch\CustomSDB\System Restore.exe
        
        "C:\Windows\apppatch\CustomSDB\System Restore.exe" C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:3456
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:3720
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4204
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:1656
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:1432
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:4680
    - - C:\Windows\AppReadiness\data.exe
        
        C:\Windows\AppReadiness\data.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:4988
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:3780
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4712
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1504

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
1⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2196

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
1⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
1⤵
- Modifies visibility of file extensions in Explorer
PID:1320
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\data.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1160
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:2004
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
    3⤵
    - System policy modification
    PID:2168
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4232
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1468

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
1⤵
PID:2760

C:\Windows\appcompat\backup.exe
C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
1⤵
- Drops file in Windows directory
PID:2148
- C:\Windows\appcompat\appraiser\backup.exe
  C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
  2⤵
  - Drops file in Windows directory
  PID:872
- C:\Windows\appcompat\encapsulation\backup.exe
  C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
  2⤵
  - System policy modification
  PID:1572
- C:\Windows\appcompat\Programs\backup.exe
  C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:768

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
1⤵
PID:4276

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
1⤵
PID:2692

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2052

C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
1⤵
PID:4772

C:\Program Files\Java\jdk1.8.0_66\db\update.exe
"C:\Program Files\Java\jdk1.8.0_66\db\update.exe" C:\Program Files\Java\jdk1.8.0_66\db\
1⤵
- Disables RegEdit via registry modification
PID:3656
- C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
  2⤵
  PID:2100
- C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:1644

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2672

C:\Users\Admin\Pictures\Camera Roll\backup.exe
"C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
1⤵
PID:2872

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
1⤵
PID:1924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
1⤵
- System policy modification
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0061334a05df35973d7d7e3ae00a33a9

SHA1
8c51553885862aa264f61a5fff8696e68673f623

SHA256
cbc7de7b72adacb1f0e0f7fb53939a7d86aedef300ac88d3d5e41c0220755135

SHA512
dd890296f84c0a86cab20291085afb8bcdcade78d8460b7e06909a0a7f52a9eda20605a3c843a4f003605dbe5089d2f0369315a3d189efc688878e2b87468505

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0061334a05df35973d7d7e3ae00a33a9

SHA1
8c51553885862aa264f61a5fff8696e68673f623

SHA256
cbc7de7b72adacb1f0e0f7fb53939a7d86aedef300ac88d3d5e41c0220755135

SHA512
dd890296f84c0a86cab20291085afb8bcdcade78d8460b7e06909a0a7f52a9eda20605a3c843a4f003605dbe5089d2f0369315a3d189efc688878e2b87468505

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
ee6818d519a4f40b82427fb4d5ed8b6c

SHA1
3c21bc137ffa5511b002b92c305ae8232aeb51f0

SHA256
192e124d091ca149b86c5eda24b27da18eb81568e8fb79915e922813cc1f45fe

SHA512
3695daf2ddac75b494afe7326133467f402b15742cadd61051b14946f023bf871c5301398d2104f2e1b7829000a9071ecba73acfde863c50239d628b86921265

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
ee6818d519a4f40b82427fb4d5ed8b6c

SHA1
3c21bc137ffa5511b002b92c305ae8232aeb51f0

SHA256
192e124d091ca149b86c5eda24b27da18eb81568e8fb79915e922813cc1f45fe

SHA512
3695daf2ddac75b494afe7326133467f402b15742cadd61051b14946f023bf871c5301398d2104f2e1b7829000a9071ecba73acfde863c50239d628b86921265

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
544fb7c42f823375eab36dd6171f3e56

SHA1
c837301771a756f8563e32d7cdb7a1b0e968bd08

SHA256
fb9e35bf83bd435b8ce69360b58e52b4fda9fd5acae63e03e01b2bb526d23b6a

SHA512
c9bb4d5cb027e62d493fb68dcc54bfb115a346a58230a5a2951708d040e3470f85c6efbf5d121d3c735bb47db040c267a6e649a03d8e1b01d6e9f826cab87bcf

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
544fb7c42f823375eab36dd6171f3e56

SHA1
c837301771a756f8563e32d7cdb7a1b0e968bd08

SHA256
fb9e35bf83bd435b8ce69360b58e52b4fda9fd5acae63e03e01b2bb526d23b6a

SHA512
c9bb4d5cb027e62d493fb68dcc54bfb115a346a58230a5a2951708d040e3470f85c6efbf5d121d3c735bb47db040c267a6e649a03d8e1b01d6e9f826cab87bcf

Download Submit
C:\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
58bdae2a3962a64e9b5da47cd6a0da0e

SHA1
d9b728441d5660c856078a23aee5924c06150bae

SHA256
35a0c1c6b7e50cb318881b33a1a08e3d8d0f2aa9e5abf8cb2701507248004a8b

SHA512
890c1cb8e5b83d37787629d3b2079e1b0d10f36d40fc564d9c0b6b474969528f1e46201c953699443f30944facfbb3e5c6abcd2657613cd888f11eabc9c7990e

Download Submit
C:\Program Files\7-Zip\System Restore.exe

Filesize
72KB

MD5
58bdae2a3962a64e9b5da47cd6a0da0e

SHA1
d9b728441d5660c856078a23aee5924c06150bae

SHA256
35a0c1c6b7e50cb318881b33a1a08e3d8d0f2aa9e5abf8cb2701507248004a8b

SHA512
890c1cb8e5b83d37787629d3b2079e1b0d10f36d40fc564d9c0b6b474969528f1e46201c953699443f30944facfbb3e5c6abcd2657613cd888f11eabc9c7990e

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
66bce6ba5071cf16e9112d7d2e86e167

SHA1
f65b91d34d8ae8fcff75e77af295b9416ded24d1

SHA256
0d2d259086f9e3799279d41f40c4578e99184090f43ca543ccf82a8a79701113

SHA512
4e8af4a27d7719520c2ed68cd918d2632e67f4b528e6c97114d26de8fd349620632853ac5f79dd23477512126d299c53db89eca7f6a755fe9006f72c6afb4bbc

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
66bce6ba5071cf16e9112d7d2e86e167

SHA1
f65b91d34d8ae8fcff75e77af295b9416ded24d1

SHA256
0d2d259086f9e3799279d41f40c4578e99184090f43ca543ccf82a8a79701113

SHA512
4e8af4a27d7719520c2ed68cd918d2632e67f4b528e6c97114d26de8fd349620632853ac5f79dd23477512126d299c53db89eca7f6a755fe9006f72c6afb4bbc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
2dd719d847913908816a42089db98954

SHA1
94c58d23eab049e5f1b44381e80cf1c696bc4fe2

SHA256
8eb770d33362984bb4325e0ba36ead7cfe65980a2b6d7f105d27679a2129f49a

SHA512
4f2ad815b071cc764cae43f597f10477070c9660df76d2a1c471a078be477e33c0876f09edf05a72e4744d696cee5235de5fe354d652fc9c7fa2107ca4349e98

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
2dd719d847913908816a42089db98954

SHA1
94c58d23eab049e5f1b44381e80cf1c696bc4fe2

SHA256
8eb770d33362984bb4325e0ba36ead7cfe65980a2b6d7f105d27679a2129f49a

SHA512
4f2ad815b071cc764cae43f597f10477070c9660df76d2a1c471a078be477e33c0876f09edf05a72e4744d696cee5235de5fe354d652fc9c7fa2107ca4349e98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
9b9fac426ce1b621e64fb1443feb0464

SHA1
80556f2e1933c64eba75ec1a6e02ee54b7038087

SHA256
0b074944a73ab53aa0fc2470cb28179df37fb6bb4305ed41ade86120aa2746f5

SHA512
44263a01f58436ac779863c0865c064226a68ad1ca3902ee71116cba082d335e25c57a9757405e9818d01f05bb9099e193211575856b08766a545ce3227d7552

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
9b9fac426ce1b621e64fb1443feb0464

SHA1
80556f2e1933c64eba75ec1a6e02ee54b7038087

SHA256
0b074944a73ab53aa0fc2470cb28179df37fb6bb4305ed41ade86120aa2746f5

SHA512
44263a01f58436ac779863c0865c064226a68ad1ca3902ee71116cba082d335e25c57a9757405e9818d01f05bb9099e193211575856b08766a545ce3227d7552

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
f42844aa841e8135381fa2c54d9115c0

SHA1
031faca9c75254e3ebb7b3cd0b5df82d2d021ed6

SHA256
052db089c28c5567375186ba4501178362f09e662ef1f4d9c8705fd71452cf67

SHA512
1730424a2587344e5188828264fb446d264cf0e5b01a98cdd1791cfd8bd19cdeb94a41cc1752bebb9abc3575f57021ba9df21e804fd0c18ff2f1586d7979b28e

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
f42844aa841e8135381fa2c54d9115c0

SHA1
031faca9c75254e3ebb7b3cd0b5df82d2d021ed6

SHA256
052db089c28c5567375186ba4501178362f09e662ef1f4d9c8705fd71452cf67

SHA512
1730424a2587344e5188828264fb446d264cf0e5b01a98cdd1791cfd8bd19cdeb94a41cc1752bebb9abc3575f57021ba9df21e804fd0c18ff2f1586d7979b28e

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
64ae5148b2c0d00495c22b59701aa58b

SHA1
f9d0826ba446b5c8b2938b60f9788ccfa8336f8f

SHA256
10b48ff056d5c57d7dcea5459f4d41fcd0b70f4d1fe35868703443ba91d16f0c

SHA512
d99c69d1cbe78cfadcbe12bbcf57bf30507574d19678ae964a862e5c829c428fe25dc3c5f0e8b86cef974e3a2a7e741dfa4d149e391df2f360f6c1b933c0adfe

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
64ae5148b2c0d00495c22b59701aa58b

SHA1
f9d0826ba446b5c8b2938b60f9788ccfa8336f8f

SHA256
10b48ff056d5c57d7dcea5459f4d41fcd0b70f4d1fe35868703443ba91d16f0c

SHA512
d99c69d1cbe78cfadcbe12bbcf57bf30507574d19678ae964a862e5c829c428fe25dc3c5f0e8b86cef974e3a2a7e741dfa4d149e391df2f360f6c1b933c0adfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
70e58e9cb3c01cb633a9b582959bee38

SHA1
604713493e11bc37b693a7a6b0e0b6603a84f776

SHA256
511673ac822b47260f339db35b54f037e9add8c221104ae1c9476ab9863566c9

SHA512
cabc5d75058b553348c93f1dfbcf7c58953dd85cacc1633c175accc52fc01ae57d581ba2ffbd94107495799de426304dc1c4b3012701dcbea56bd95cbf3bd223

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
70e58e9cb3c01cb633a9b582959bee38

SHA1
604713493e11bc37b693a7a6b0e0b6603a84f776

SHA256
511673ac822b47260f339db35b54f037e9add8c221104ae1c9476ab9863566c9

SHA512
cabc5d75058b553348c93f1dfbcf7c58953dd85cacc1633c175accc52fc01ae57d581ba2ffbd94107495799de426304dc1c4b3012701dcbea56bd95cbf3bd223

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
9b9fac426ce1b621e64fb1443feb0464

SHA1
80556f2e1933c64eba75ec1a6e02ee54b7038087

SHA256
0b074944a73ab53aa0fc2470cb28179df37fb6bb4305ed41ade86120aa2746f5

SHA512
44263a01f58436ac779863c0865c064226a68ad1ca3902ee71116cba082d335e25c57a9757405e9818d01f05bb9099e193211575856b08766a545ce3227d7552

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
9b9fac426ce1b621e64fb1443feb0464

SHA1
80556f2e1933c64eba75ec1a6e02ee54b7038087

SHA256
0b074944a73ab53aa0fc2470cb28179df37fb6bb4305ed41ade86120aa2746f5

SHA512
44263a01f58436ac779863c0865c064226a68ad1ca3902ee71116cba082d335e25c57a9757405e9818d01f05bb9099e193211575856b08766a545ce3227d7552

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
31fb8996bc044cd735be1f51b17e8322

SHA1
9d78bdecfcce2aa5fd9bc3a3200130eb446b60c0

SHA256
868914cef788a2e8af16bbc374ef7f22855008ff495bfc33b1702a786b983ba3

SHA512
bbb57120de9d9eeacfc6a1e5cec9e063883000d26b543a5d8bb71ef53ef44ec47932640fd9b72799c50d60a997efc9c4ce1444fb085781001558bda4dfd3a042

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
b2e58b1d6edd29e9ff0bffa9636c38ed

SHA1
86564c65f6766b09b57da3a3fd6845c2393bede7

SHA256
837ae46f7313b8ecb155fe743df852f07d2f5f18ea233a11df0f9a279d0c6084

SHA512
94aabdb3fdb68f785b26d654816cad7b99017b447e96efe30e79ea6f638a994bf705209dc72138318e66c246241a182360e9ee8b02f4438ca92ebe875459ac00

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
1036bfbbf30a683c51402c42d9c64a65

SHA1
0f461358a7ad0afabb40ee51ca75e380d20fb194

SHA256
32d4ff7bae9f36e56fa165278fa44a3c24ead25a9d00d8d9ddbe4415a67aec3d

SHA512
0cb3ec2cd1924fa52c87aad90e1c7947e26568f4fe595d01a96b5bed85e0104c3bd4b165c56e6ac6db3de3cae10acf58d7f9f02964c5bc96870edc9b3242f679

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
1036bfbbf30a683c51402c42d9c64a65

SHA1
0f461358a7ad0afabb40ee51ca75e380d20fb194

SHA256
32d4ff7bae9f36e56fa165278fa44a3c24ead25a9d00d8d9ddbe4415a67aec3d

SHA512
0cb3ec2cd1924fa52c87aad90e1c7947e26568f4fe595d01a96b5bed85e0104c3bd4b165c56e6ac6db3de3cae10acf58d7f9f02964c5bc96870edc9b3242f679

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
6e602b73ed1006ae8c5ee4ec3956b28c

SHA1
c54ef62d9717c0ed2e0abe6ffae76a2b913ae39f

SHA256
cb21abbeccdcd7e6e277441233742e9004c4582a86db2fac0c1f2030f58b69a1

SHA512
8707017bad190b5addca656563729d2d6cbbd839fa21454af487dbf7372f767b762a49d51fe0ef9e4a703261c64de9bbeac5cb4b484f5b878e7c67246016b214

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
6e602b73ed1006ae8c5ee4ec3956b28c

SHA1
c54ef62d9717c0ed2e0abe6ffae76a2b913ae39f

SHA256
cb21abbeccdcd7e6e277441233742e9004c4582a86db2fac0c1f2030f58b69a1

SHA512
8707017bad190b5addca656563729d2d6cbbd839fa21454af487dbf7372f767b762a49d51fe0ef9e4a703261c64de9bbeac5cb4b484f5b878e7c67246016b214

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
153d919c12955dc0375741a2ee893e63

SHA1
6ca9c8bcdec4626e67dfec8ba8e28f0adfe6d3a8

SHA256
3a75ca711af282ead1375f9b4eeac5a0a20480b94a02f3440366d2ae18c5443d

SHA512
754b5db0e97fcc3e08b22ca6cbfa0f4b4319ec7dba2b2a11a57512f705bc0d7ce6af5a1462cb2463d57057035c49edb325e7fe26d6ef72865386662464d9bc09

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
153d919c12955dc0375741a2ee893e63

SHA1
6ca9c8bcdec4626e67dfec8ba8e28f0adfe6d3a8

SHA256
3a75ca711af282ead1375f9b4eeac5a0a20480b94a02f3440366d2ae18c5443d

SHA512
754b5db0e97fcc3e08b22ca6cbfa0f4b4319ec7dba2b2a11a57512f705bc0d7ce6af5a1462cb2463d57057035c49edb325e7fe26d6ef72865386662464d9bc09

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
0061334a05df35973d7d7e3ae00a33a9

SHA1
8c51553885862aa264f61a5fff8696e68673f623

SHA256
cbc7de7b72adacb1f0e0f7fb53939a7d86aedef300ac88d3d5e41c0220755135

SHA512
dd890296f84c0a86cab20291085afb8bcdcade78d8460b7e06909a0a7f52a9eda20605a3c843a4f003605dbe5089d2f0369315a3d189efc688878e2b87468505

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
0061334a05df35973d7d7e3ae00a33a9

SHA1
8c51553885862aa264f61a5fff8696e68673f623

SHA256
cbc7de7b72adacb1f0e0f7fb53939a7d86aedef300ac88d3d5e41c0220755135

SHA512
dd890296f84c0a86cab20291085afb8bcdcade78d8460b7e06909a0a7f52a9eda20605a3c843a4f003605dbe5089d2f0369315a3d189efc688878e2b87468505

Download Submit
C:\Users\Admin\AppData\Local\Temp\3914382429\backup.exe

Filesize
72KB

MD5
20f7b3e9ddc955f3ed66c8997296b18d

SHA1
a2422869d2ece4046a007268e13e9cfc350a1d22

SHA256
90a2d7d1583d92598bddc707ecf7bac80805b800a36afb9d22b692adc833665e

SHA512
c213fe3de6ccbaaf242b0f51e8b267cbc3b66d7c9c87ad63716afe1eaf712850b419e7147d59d57a6484a4380ebf6ab3353577399bb787431d6bc326cd072501

Download Submit
C:\Users\Admin\AppData\Local\Temp\3914382429\backup.exe

Filesize
72KB

MD5
20f7b3e9ddc955f3ed66c8997296b18d

SHA1
a2422869d2ece4046a007268e13e9cfc350a1d22

SHA256
90a2d7d1583d92598bddc707ecf7bac80805b800a36afb9d22b692adc833665e

SHA512
c213fe3de6ccbaaf242b0f51e8b267cbc3b66d7c9c87ad63716afe1eaf712850b419e7147d59d57a6484a4380ebf6ab3353577399bb787431d6bc326cd072501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ed20f22b4d8bd346f0fbd26331aa67b7

SHA1
5e0b39d77395849d8c3b98532be2402158a4ab9b

SHA256
8fe00b47e6846ac2605afeb6c3e39c50f1b00c8ddede22ac0784c95f1e7d78f3

SHA512
881f233480dd57aa09055b2d5dd27d3b3ed3a4b71200e88e82e05bce25dad8d6d92ad2c0b7c6eb8c12847b3d39d611673e2e88ed487442d1f75c9842ba5fccc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ed20f22b4d8bd346f0fbd26331aa67b7

SHA1
5e0b39d77395849d8c3b98532be2402158a4ab9b

SHA256
8fe00b47e6846ac2605afeb6c3e39c50f1b00c8ddede22ac0784c95f1e7d78f3

SHA512
881f233480dd57aa09055b2d5dd27d3b3ed3a4b71200e88e82e05bce25dad8d6d92ad2c0b7c6eb8c12847b3d39d611673e2e88ed487442d1f75c9842ba5fccc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ed20f22b4d8bd346f0fbd26331aa67b7

SHA1
5e0b39d77395849d8c3b98532be2402158a4ab9b

SHA256
8fe00b47e6846ac2605afeb6c3e39c50f1b00c8ddede22ac0784c95f1e7d78f3

SHA512
881f233480dd57aa09055b2d5dd27d3b3ed3a4b71200e88e82e05bce25dad8d6d92ad2c0b7c6eb8c12847b3d39d611673e2e88ed487442d1f75c9842ba5fccc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ed20f22b4d8bd346f0fbd26331aa67b7

SHA1
5e0b39d77395849d8c3b98532be2402158a4ab9b

SHA256
8fe00b47e6846ac2605afeb6c3e39c50f1b00c8ddede22ac0784c95f1e7d78f3

SHA512
881f233480dd57aa09055b2d5dd27d3b3ed3a4b71200e88e82e05bce25dad8d6d92ad2c0b7c6eb8c12847b3d39d611673e2e88ed487442d1f75c9842ba5fccc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
aca507c7b3f9de74304445c8bc149cdd

SHA1
54bb5e9be100e99e72f7e655acc321bd767c2a7c

SHA256
e94b5a3deda47aa1cccf92c6b9ba8e0fbec759c08820aad2f0933fb36d75761b

SHA512
82f9cc540a9ee746dc59b1cac5ffeea31ac4ca6c20e7935003eddbaa9ae855cddbebdfe389b80003f63a0a82b75eb0a92b2702eaf6444239606d3544314589da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
aca507c7b3f9de74304445c8bc149cdd

SHA1
54bb5e9be100e99e72f7e655acc321bd767c2a7c

SHA256
e94b5a3deda47aa1cccf92c6b9ba8e0fbec759c08820aad2f0933fb36d75761b

SHA512
82f9cc540a9ee746dc59b1cac5ffeea31ac4ca6c20e7935003eddbaa9ae855cddbebdfe389b80003f63a0a82b75eb0a92b2702eaf6444239606d3544314589da

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
20f7b3e9ddc955f3ed66c8997296b18d

SHA1
a2422869d2ece4046a007268e13e9cfc350a1d22

SHA256
90a2d7d1583d92598bddc707ecf7bac80805b800a36afb9d22b692adc833665e

SHA512
c213fe3de6ccbaaf242b0f51e8b267cbc3b66d7c9c87ad63716afe1eaf712850b419e7147d59d57a6484a4380ebf6ab3353577399bb787431d6bc326cd072501

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
20f7b3e9ddc955f3ed66c8997296b18d

SHA1
a2422869d2ece4046a007268e13e9cfc350a1d22

SHA256
90a2d7d1583d92598bddc707ecf7bac80805b800a36afb9d22b692adc833665e

SHA512
c213fe3de6ccbaaf242b0f51e8b267cbc3b66d7c9c87ad63716afe1eaf712850b419e7147d59d57a6484a4380ebf6ab3353577399bb787431d6bc326cd072501

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
20f7b3e9ddc955f3ed66c8997296b18d

SHA1
a2422869d2ece4046a007268e13e9cfc350a1d22

SHA256
90a2d7d1583d92598bddc707ecf7bac80805b800a36afb9d22b692adc833665e

SHA512
c213fe3de6ccbaaf242b0f51e8b267cbc3b66d7c9c87ad63716afe1eaf712850b419e7147d59d57a6484a4380ebf6ab3353577399bb787431d6bc326cd072501

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
20f7b3e9ddc955f3ed66c8997296b18d

SHA1
a2422869d2ece4046a007268e13e9cfc350a1d22

SHA256
90a2d7d1583d92598bddc707ecf7bac80805b800a36afb9d22b692adc833665e

SHA512
c213fe3de6ccbaaf242b0f51e8b267cbc3b66d7c9c87ad63716afe1eaf712850b419e7147d59d57a6484a4380ebf6ab3353577399bb787431d6bc326cd072501

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
aca507c7b3f9de74304445c8bc149cdd

SHA1
54bb5e9be100e99e72f7e655acc321bd767c2a7c

SHA256
e94b5a3deda47aa1cccf92c6b9ba8e0fbec759c08820aad2f0933fb36d75761b

SHA512
82f9cc540a9ee746dc59b1cac5ffeea31ac4ca6c20e7935003eddbaa9ae855cddbebdfe389b80003f63a0a82b75eb0a92b2702eaf6444239606d3544314589da

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
aca507c7b3f9de74304445c8bc149cdd

SHA1
54bb5e9be100e99e72f7e655acc321bd767c2a7c

SHA256
e94b5a3deda47aa1cccf92c6b9ba8e0fbec759c08820aad2f0933fb36d75761b

SHA512
82f9cc540a9ee746dc59b1cac5ffeea31ac4ca6c20e7935003eddbaa9ae855cddbebdfe389b80003f63a0a82b75eb0a92b2702eaf6444239606d3544314589da

Download Submit
C:\backup.exe

Filesize
72KB

MD5
1de2cc17f6bcb3dde0ff91fe0381649a

SHA1
3fc2287f600f12da0ccc5bd7eac713f77874dcd5

SHA256
5d382b3588f5c541592debee31b0f7ac1e5ff8aced7cc495a30fa4eddaf16762

SHA512
18ef8982a70e98bd1a39c0ea3df91e6e58653f5f59d04cb3f101a70e4d1a1d20bd4a4369fc5bc74c6f69072d7277e83c03a7f4dbf0c6ff7a1e1c542b4ca59082

Download Submit
C:\backup.exe

Filesize
72KB

MD5
1de2cc17f6bcb3dde0ff91fe0381649a

SHA1
3fc2287f600f12da0ccc5bd7eac713f77874dcd5

SHA256
5d382b3588f5c541592debee31b0f7ac1e5ff8aced7cc495a30fa4eddaf16762

SHA512
18ef8982a70e98bd1a39c0ea3df91e6e58653f5f59d04cb3f101a70e4d1a1d20bd4a4369fc5bc74c6f69072d7277e83c03a7f4dbf0c6ff7a1e1c542b4ca59082

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
0061334a05df35973d7d7e3ae00a33a9

SHA1
8c51553885862aa264f61a5fff8696e68673f623

SHA256
cbc7de7b72adacb1f0e0f7fb53939a7d86aedef300ac88d3d5e41c0220755135

SHA512
dd890296f84c0a86cab20291085afb8bcdcade78d8460b7e06909a0a7f52a9eda20605a3c843a4f003605dbe5089d2f0369315a3d189efc688878e2b87468505

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
0061334a05df35973d7d7e3ae00a33a9

SHA1
8c51553885862aa264f61a5fff8696e68673f623

SHA256
cbc7de7b72adacb1f0e0f7fb53939a7d86aedef300ac88d3d5e41c0220755135

SHA512
dd890296f84c0a86cab20291085afb8bcdcade78d8460b7e06909a0a7f52a9eda20605a3c843a4f003605dbe5089d2f0369315a3d189efc688878e2b87468505

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads