86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f

Analysis

max time kernel
192s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe
Size

72KB
MD5

019e32bcf4f111217ce220675db1cdf1
SHA1

c8d40b8b899db771097065f8e6bc881414bf2f24
SHA256

86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f
SHA512

8611ed03cc7fc9c9f6797d2e73c4e1b95c8867438207212f2029eda8fb11b864ef0175c5707cd0fdbe05de9a5e7099b1d338af6c5136a559b3cea207af0b8120
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2R:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPF

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1668	backup.exe
5108	System Restore.exe
1264	backup.exe
1860	backup.exe
3164	backup.exe
3352	backup.exe
4036	backup.exe
5088	backup.exe
2016	backup.exe
3068	backup.exe
3328	backup.exe
4984	backup.exe
3664	backup.exe
3120	backup.exe
4860	backup.exe
2304	backup.exe
1868	update.exe
4044	backup.exe
4328	backup.exe
2760	data.exe
4908	System Restore.exe
3172	backup.exe
4180	backup.exe
452	backup.exe
4956	backup.exe
4416	data.exe
1580	backup.exe
2860	backup.exe
2876	backup.exe
4364	backup.exe
3628	backup.exe
2536	backup.exe
2032	backup.exe
864	backup.exe
4040	backup.exe
4012	backup.exe
1676	backup.exe
1264	data.exe
2648	backup.exe
4068	backup.exe
1980	backup.exe
4712	System Restore.exe
2812	backup.exe
1884	backup.exe
3832	backup.exe
1204	data.exe
960	backup.exe
4496	backup.exe
3908	backup.exe
2080	backup.exe
3124	backup.exe
3796	backup.exe
3168	backup.exe
1852	System Restore.exe
4484	backup.exe
4192	backup.exe
4748	backup.exe
1288	update.exe
1524	backup.exe
4208	backup.exe
1144	backup.exe
4872	backup.exe
5100	backup.exe
2076	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe
1668	backup.exe
5108	System Restore.exe
1264	backup.exe
1860	backup.exe
3164	backup.exe
3352	backup.exe
4036	backup.exe
5088	backup.exe
2016	backup.exe
3068	backup.exe
3328	backup.exe
4984	backup.exe
3664	backup.exe
3120	backup.exe
4860	backup.exe
2304	backup.exe
1868	update.exe
4044	backup.exe
4328	backup.exe
2760	data.exe
4908	System Restore.exe
3172	backup.exe
4956	backup.exe
452	backup.exe
4180	backup.exe
4416	data.exe
1580	backup.exe
2860	backup.exe
2876	backup.exe
4364	backup.exe
3628	backup.exe
2536	backup.exe
2032	backup.exe
864	backup.exe
4040	backup.exe
4012	backup.exe
1676	backup.exe
1264	data.exe
1980	backup.exe
4068	backup.exe
2648	backup.exe
4712	System Restore.exe
2812	backup.exe
1884	backup.exe
1204	data.exe
3832	backup.exe
960	backup.exe
4496	backup.exe
3908	backup.exe
2080	backup.exe
3124	backup.exe
3796	backup.exe
3168	backup.exe
1852	System Restore.exe
4484	backup.exe
4192	backup.exe
4748	backup.exe
1288	update.exe
5100	backup.exe
4208	backup.exe
1144	backup.exe
2076	backup.exe
1524	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 1668	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	82
PID 4048 wrote to memory of 1668	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	82
PID 4048 wrote to memory of 1668	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	82
PID 4048 wrote to memory of 5108	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	83
PID 4048 wrote to memory of 5108	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	83
PID 4048 wrote to memory of 5108	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	83
PID 4048 wrote to memory of 1264	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	84
PID 4048 wrote to memory of 1264	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	84
PID 4048 wrote to memory of 1264	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	84
PID 4048 wrote to memory of 1860	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	85
PID 4048 wrote to memory of 1860	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	85
PID 4048 wrote to memory of 1860	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	85
PID 4048 wrote to memory of 3164	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	86
PID 4048 wrote to memory of 3164	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	86
PID 4048 wrote to memory of 3164	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	86
PID 4048 wrote to memory of 3352	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	87
PID 4048 wrote to memory of 3352	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	87
PID 4048 wrote to memory of 3352	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	87
PID 4048 wrote to memory of 4036	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	88
PID 4048 wrote to memory of 4036	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	88
PID 4048 wrote to memory of 4036	4048	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe	88
PID 1668 wrote to memory of 5088	1668	backup.exe	89
PID 1668 wrote to memory of 5088	1668	backup.exe	89
PID 1668 wrote to memory of 5088	1668	backup.exe	89
PID 5088 wrote to memory of 2016	5088	backup.exe	90
PID 5088 wrote to memory of 2016	5088	backup.exe	90
PID 5088 wrote to memory of 2016	5088	backup.exe	90
PID 5088 wrote to memory of 3068	5088	backup.exe	91
PID 5088 wrote to memory of 3068	5088	backup.exe	91
PID 5088 wrote to memory of 3068	5088	backup.exe	91
PID 5088 wrote to memory of 3328	5088	backup.exe	92
PID 5088 wrote to memory of 3328	5088	backup.exe	92
PID 5088 wrote to memory of 3328	5088	backup.exe	92
PID 3328 wrote to memory of 4984	3328	backup.exe	93
PID 3328 wrote to memory of 4984	3328	backup.exe	93
PID 3328 wrote to memory of 4984	3328	backup.exe	93
PID 4984 wrote to memory of 3664	4984	backup.exe	94
PID 4984 wrote to memory of 3664	4984	backup.exe	94
PID 4984 wrote to memory of 3664	4984	backup.exe	94
PID 3328 wrote to memory of 3120	3328	backup.exe	95
PID 3328 wrote to memory of 3120	3328	backup.exe	95
PID 3328 wrote to memory of 3120	3328	backup.exe	95
PID 3120 wrote to memory of 4860	3120	backup.exe	96
PID 3120 wrote to memory of 4860	3120	backup.exe	96
PID 3120 wrote to memory of 4860	3120	backup.exe	96
PID 3120 wrote to memory of 2304	3120	backup.exe	97
PID 3120 wrote to memory of 2304	3120	backup.exe	97
PID 3120 wrote to memory of 2304	3120	backup.exe	97
PID 2304 wrote to memory of 1868	2304	backup.exe	98
PID 2304 wrote to memory of 1868	2304	backup.exe	98
PID 2304 wrote to memory of 1868	2304	backup.exe	98
PID 2304 wrote to memory of 4044	2304	backup.exe	99
PID 2304 wrote to memory of 4044	2304	backup.exe	99
PID 2304 wrote to memory of 4044	2304	backup.exe	99
PID 4044 wrote to memory of 4328	4044	backup.exe	100
PID 4044 wrote to memory of 4328	4044	backup.exe	100
PID 4044 wrote to memory of 4328	4044	backup.exe	100
PID 4044 wrote to memory of 2760	4044	backup.exe	101
PID 4044 wrote to memory of 2760	4044	backup.exe	101
PID 4044 wrote to memory of 2760	4044	backup.exe	101
PID 4044 wrote to memory of 4908	4044	backup.exe	102
PID 4044 wrote to memory of 4908	4044	backup.exe	102
PID 4044 wrote to memory of 4908	4044	backup.exe	102
PID 3120 wrote to memory of 3172	3120	backup.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe

C:\Users\Admin\AppData\Local\Temp\86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe
"C:\Users\Admin\AppData\Local\Temp\86a879ab4eb77ccea8d0ee425d5f14fde6616dbe1e46194b9267c766e7cc796f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4048
- C:\Users\Admin\AppData\Local\Temp\1776851312\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1776851312\backup.exe C:\Users\Admin\AppData\Local\Temp\1776851312\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5088
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2016
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3068
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3328
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3664
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4860
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4328
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:452
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2032
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1264
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2812
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4496
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1852
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4208
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:220
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        System policy modification
        
        PID:4260
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4616
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Drops file in Program Files directory
        
        PID:4264
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3460
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2636
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3572
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4860
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:2820
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4848
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:528
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3460
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:864
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4484
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4712
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2200
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1136
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4060
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4532
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1008
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        System policy modification
        
        PID:3676
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1968
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        System policy modification
        
        PID:3168
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4032
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1652
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:1140
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3172
      - C:\Program Files\Common Files\System\data.exe
        
        "C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4416
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4012
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3908
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:4872
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4192
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1980
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4348
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4624
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1880
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:3572
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1976
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2676
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:4360
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:3660
        
        C:\Program Files\Common Files\System\Ole DB\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\update.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:3248
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1172
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4180
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        System policy modification
        
        PID:4408
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3712
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1448
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:3140
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2808
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1804
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:2796
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2280
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2080
      - C:\Program Files\Internet Explorer\de-DE\update.exe
        
        "C:\Program Files\Internet Explorer\de-DE\update.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1288
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:4588
      - C:\Program Files\Internet Explorer\fr-FR\System Restore.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\System Restore.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        System policy modification
        
        PID:4560
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2056
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2332
      - C:\Program Files\Internet Explorer\ja-JP\System Restore.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:372
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2380
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1972
      - C:\Program Files\Java\jdk1.8.0_66\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\data.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1860
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        System policy modification
        
        PID:1328
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:928
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4236
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4208
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1904
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:3156
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:4000
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:4232
      - C:\Program Files\Java\jre1.8.0_66\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\update.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4336
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:5040
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:4500
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:5072
    - - C:\Program Files\Microsoft Office 15\update.exe
        
        "C:\Program Files\Microsoft Office 15\update.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3032
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2912
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:3912
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4956
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        System policy modification
        
        PID:3464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3508
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Drops file in Program Files directory
        
        PID:4100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        
        PID:784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:2656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:3356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:3308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3908
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:3140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Drops file in Program Files directory
        
        PID:4996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:3464
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5112
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:3364
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4920
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3912
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4004
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4616
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:4544
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:2332
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:1648
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:4856
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:4792
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:1192
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4304
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:4412
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3756
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3628
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:3644
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4772
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:3828
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:4604
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3124
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4748
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3572
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3680
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2052
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1884
      - C:\Users\Admin\Downloads\update.exe
        
        C:\Users\Admin\Downloads\update.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1480
      - C:\Users\Admin\Links\update.exe
        
        C:\Users\Admin\Links\update.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2684
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3864
      - C:\Users\Admin\OneDrive\update.exe
        
        C:\Users\Admin\OneDrive\update.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:620
      - C:\Users\Admin\Pictures\update.exe
        
        C:\Users\Admin\Pictures\update.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:4260
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:5060
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3136
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4192
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1304
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4364
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3672
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:4536
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:3828
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:1736
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:4684
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:1732
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:1300
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:4836
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:2364
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        
        PID:3716
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:3624
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:3504
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:4472
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\acrocef_low\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3352
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4036

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1524

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0e476f8e8f424f1cec7f93abe65b5e40

SHA1
abd876d9f45ed30a27677443c92f9c887b5b9423

SHA256
3e6fca3e54b5202f1c23e0b5fd66d8051619a196e2955676c6988f3a0b095b5f

SHA512
69eeabef22b69f5d8e36fa283dbb1e124939759f30d25b09042422e8dbd853e9a504104c2840c3f77476c4bd90828b12a6891e50b9d25e502694f803e708001b

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0e476f8e8f424f1cec7f93abe65b5e40

SHA1
abd876d9f45ed30a27677443c92f9c887b5b9423

SHA256
3e6fca3e54b5202f1c23e0b5fd66d8051619a196e2955676c6988f3a0b095b5f

SHA512
69eeabef22b69f5d8e36fa283dbb1e124939759f30d25b09042422e8dbd853e9a504104c2840c3f77476c4bd90828b12a6891e50b9d25e502694f803e708001b

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
5e9a7e6f1aa036a4d19d2ea0b9a48a25

SHA1
8e9b084d518b47f3fe1f669ba76c55dfde78382a

SHA256
ab69772da5e8c641d2dca00d3fadf67688aa768d1dbbe3ea25c50064c422fa3c

SHA512
c5b5630121f84fa20513299a034e07a59a339ab14473e3a98e7a1f6e78c2667c7bc69262a3b120f83b9e0f9b55235317d9a170ee25c0114b2e2a510fcaafe0a2

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
5e9a7e6f1aa036a4d19d2ea0b9a48a25

SHA1
8e9b084d518b47f3fe1f669ba76c55dfde78382a

SHA256
ab69772da5e8c641d2dca00d3fadf67688aa768d1dbbe3ea25c50064c422fa3c

SHA512
c5b5630121f84fa20513299a034e07a59a339ab14473e3a98e7a1f6e78c2667c7bc69262a3b120f83b9e0f9b55235317d9a170ee25c0114b2e2a510fcaafe0a2

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
d9d5f5c88047bd0d5712e858a350f118

SHA1
9bce1fdfe7e2764b73962b01b60da74b549008ac

SHA256
237ca6e25ea1a824fba3d76ffeb6ee112e535f99f49840fb63cc5cb9c073d82f

SHA512
41ceb07d19906eee9cd82ae240d69b4264ce0138fa771c5cfc3d6fcf1a620189e7f7ad31bc7eb29e4d01236560e1a7edd7779de9a3c85d2ce6877a3935103c01

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
d9d5f5c88047bd0d5712e858a350f118

SHA1
9bce1fdfe7e2764b73962b01b60da74b549008ac

SHA256
237ca6e25ea1a824fba3d76ffeb6ee112e535f99f49840fb63cc5cb9c073d82f

SHA512
41ceb07d19906eee9cd82ae240d69b4264ce0138fa771c5cfc3d6fcf1a620189e7f7ad31bc7eb29e4d01236560e1a7edd7779de9a3c85d2ce6877a3935103c01

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
69997b1fe835caa0f9646e90a98cd408

SHA1
257c7562ee6c8401018b1d6ddcbabc2c9a6a2b2d

SHA256
d3f3eac904df4ff3b9fbcda4b9f82deff0fefadffa3578e81e8daa8276aaf09e

SHA512
a3d67ae487570160ccb3c2a58f2c97b58fd5a15b497f69d2f396345d5bbc1ef902cb71ee09358fb7e86a22b396836a2cdad68c4bd579634109496408dea8c471

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
69997b1fe835caa0f9646e90a98cd408

SHA1
257c7562ee6c8401018b1d6ddcbabc2c9a6a2b2d

SHA256
d3f3eac904df4ff3b9fbcda4b9f82deff0fefadffa3578e81e8daa8276aaf09e

SHA512
a3d67ae487570160ccb3c2a58f2c97b58fd5a15b497f69d2f396345d5bbc1ef902cb71ee09358fb7e86a22b396836a2cdad68c4bd579634109496408dea8c471

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fbedaa554cd1ec16e96901de3eb79d2b

SHA1
11f5ffe6c863eac9234ec8abcfa868a781277f15

SHA256
6e9be6de84ccd7a6a578fbe4d09e07a0e118632e035dab96d399c24c8a48dd90

SHA512
73e830d2f080ffded3507e99e30e391daab83d21cfb9aed40f01331f5a12b7ab30c5b68cef7fef628660fc0f788cf49b1e74089d0918f911ce86cf8db25d629e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fbedaa554cd1ec16e96901de3eb79d2b

SHA1
11f5ffe6c863eac9234ec8abcfa868a781277f15

SHA256
6e9be6de84ccd7a6a578fbe4d09e07a0e118632e035dab96d399c24c8a48dd90

SHA512
73e830d2f080ffded3507e99e30e391daab83d21cfb9aed40f01331f5a12b7ab30c5b68cef7fef628660fc0f788cf49b1e74089d0918f911ce86cf8db25d629e

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
92a6a9fc33919556f34df100d04e6506

SHA1
b7764c9af8e94f93b77988c458108d1cb305eccb

SHA256
a79e94c058b0f870bed28cac61cdc15e10a7536e8f99f9a5a2b19a6eee802a56

SHA512
c6adb3bf004e1c282fdb632dfb77a41c9c97db0763c6ddace39ce37ebe96c5b312cb3f9df2c6fc0ccc1dd181710fbff486bbd13761962c96b7ecf5b1fc9459aa

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
92a6a9fc33919556f34df100d04e6506

SHA1
b7764c9af8e94f93b77988c458108d1cb305eccb

SHA256
a79e94c058b0f870bed28cac61cdc15e10a7536e8f99f9a5a2b19a6eee802a56

SHA512
c6adb3bf004e1c282fdb632dfb77a41c9c97db0763c6ddace39ce37ebe96c5b312cb3f9df2c6fc0ccc1dd181710fbff486bbd13761962c96b7ecf5b1fc9459aa

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
1379ee869fd0bdf3aaaf4b349ed140a5

SHA1
e01f71294cf449f20898e9276d9b817946793ce9

SHA256
e174b59376ed05671a7a70de0c6c40ec186eb1861b64702b5c63ac72c18a7562

SHA512
075732dd4753d9ac08f05c26086006b9efa2700a91ccfb55bbf4a8f9d4f23a83e8f8444b759aa22b9ddcf06c3a2d496ef502ded984c936b8f9d7f0717e6666de

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
1379ee869fd0bdf3aaaf4b349ed140a5

SHA1
e01f71294cf449f20898e9276d9b817946793ce9

SHA256
e174b59376ed05671a7a70de0c6c40ec186eb1861b64702b5c63ac72c18a7562

SHA512
075732dd4753d9ac08f05c26086006b9efa2700a91ccfb55bbf4a8f9d4f23a83e8f8444b759aa22b9ddcf06c3a2d496ef502ded984c936b8f9d7f0717e6666de

Download Submit
C:\Program Files\Common Files\System\ado\backup.exe

Filesize
72KB

MD5
15fb7fc6776bc053485528a13761a26f

SHA1
fa138c8ca4c28d701eb00ae74383307f37032d12

SHA256
389ba6deaa665a50784c084b0dfcc6ca9eec47b180f3e6dac8d412787ddd0a25

SHA512
1d088058d3658433e671f5e0e4f5b4a2d77cf822b60b7acefb0cd1f630d057ac8951766977350d0922ecf3d4cb8e02615dd74d273d6231f4bd6b82ffd4fc4ed3

Download Submit
C:\Program Files\Common Files\System\ado\backup.exe

Filesize
72KB

MD5
15fb7fc6776bc053485528a13761a26f

SHA1
fa138c8ca4c28d701eb00ae74383307f37032d12

SHA256
389ba6deaa665a50784c084b0dfcc6ca9eec47b180f3e6dac8d412787ddd0a25

SHA512
1d088058d3658433e671f5e0e4f5b4a2d77cf822b60b7acefb0cd1f630d057ac8951766977350d0922ecf3d4cb8e02615dd74d273d6231f4bd6b82ffd4fc4ed3

Download Submit
C:\Program Files\Common Files\System\data.exe

Filesize
72KB

MD5
3e84a610a25ed93a781fa31174fa53db

SHA1
185445dfc10a759d00c2a6cd8c3e3d9d537db0e3

SHA256
86606119f9c5f1852aa71a3e4829dc9fb09b32037debb7f138d24c83dc1e62b8

SHA512
ae6c87a7596ddebf03b1c3ad97b18b90ed15eba16052fe9cb5d59b1d04306ed6e0859b9991b547962df5dc366c282037f23a4db43f6f051c404566b596082261

Download Submit
C:\Program Files\Common Files\System\data.exe

Filesize
72KB

MD5
3e84a610a25ed93a781fa31174fa53db

SHA1
185445dfc10a759d00c2a6cd8c3e3d9d537db0e3

SHA256
86606119f9c5f1852aa71a3e4829dc9fb09b32037debb7f138d24c83dc1e62b8

SHA512
ae6c87a7596ddebf03b1c3ad97b18b90ed15eba16052fe9cb5d59b1d04306ed6e0859b9991b547962df5dc366c282037f23a4db43f6f051c404566b596082261

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
44deb57c2ba024908240a9cdda729114

SHA1
8b1c87c13c723b72b199bf8a28daafcfd7b8dede

SHA256
41dc2754b278adff9d334e78aaf174926eeab4d3b98ae0280b8772736b867248

SHA512
93bbd53ac8886779b28f9d38cf4eb3c75923d0ff57a314c25c1a392a2a7b336765a0b622bdd112df1949291c217420318f8591eac5d1153e8c1b081ba41e590b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
44deb57c2ba024908240a9cdda729114

SHA1
8b1c87c13c723b72b199bf8a28daafcfd7b8dede

SHA256
41dc2754b278adff9d334e78aaf174926eeab4d3b98ae0280b8772736b867248

SHA512
93bbd53ac8886779b28f9d38cf4eb3c75923d0ff57a314c25c1a392a2a7b336765a0b622bdd112df1949291c217420318f8591eac5d1153e8c1b081ba41e590b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe

Filesize
72KB

MD5
07a48cee7c448ffa49a04aa20e0a0443

SHA1
5fe65594a35e914dc3f15c37864fb1be5af7182c

SHA256
704d993e8afd81fd6a2824248092a99170616f354c98bd12bc8506ca45f5c45e

SHA512
698d4d1eba21369fa85f30728e00aafa2373a198c774b8afb0d43a572e44037a649ec24d69336e7f24503da5c251d8b618cd90bec6e17aad42bb730792c3020e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe

Filesize
72KB

MD5
07a48cee7c448ffa49a04aa20e0a0443

SHA1
5fe65594a35e914dc3f15c37864fb1be5af7182c

SHA256
704d993e8afd81fd6a2824248092a99170616f354c98bd12bc8506ca45f5c45e

SHA512
698d4d1eba21369fa85f30728e00aafa2373a198c774b8afb0d43a572e44037a649ec24d69336e7f24503da5c251d8b618cd90bec6e17aad42bb730792c3020e

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
3aabf2af59577786631d29da62e27f5d

SHA1
8625b9a967c2b9a9818029aa0860c444d6007b51

SHA256
4326dbadd25863887b0824cc42151fd40f9913b89b22ad293976a6cd8c38fe6b

SHA512
c6b939ff9fa882e53f0460565d6779a163afcd8cfad1323971083262746b97852c2a4dc6a3f70ef712bfb5df4cbd73fbcc4ddb63425db8516bbcf448cb254870

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
3aabf2af59577786631d29da62e27f5d

SHA1
8625b9a967c2b9a9818029aa0860c444d6007b51

SHA256
4326dbadd25863887b0824cc42151fd40f9913b89b22ad293976a6cd8c38fe6b

SHA512
c6b939ff9fa882e53f0460565d6779a163afcd8cfad1323971083262746b97852c2a4dc6a3f70ef712bfb5df4cbd73fbcc4ddb63425db8516bbcf448cb254870

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
172ce787dfe256618ef8c91634dbfa8c

SHA1
bacf46366648bd94c29348093e6955e3bba74f1c

SHA256
5e0552cb05ee1d84ed1860e394ffa74595c2321399c8602f29ce8d00ee32f2a3

SHA512
e2a9a9b01ee745a7ffb0b5d3eb9291790b0adc2ff41484a1cecd48a423655010655ad61a0bcd5ef6a474ae5392f20cdd96e56ffe59da5d15ee3cd02b79570f66

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
172ce787dfe256618ef8c91634dbfa8c

SHA1
bacf46366648bd94c29348093e6955e3bba74f1c

SHA256
5e0552cb05ee1d84ed1860e394ffa74595c2321399c8602f29ce8d00ee32f2a3

SHA512
e2a9a9b01ee745a7ffb0b5d3eb9291790b0adc2ff41484a1cecd48a423655010655ad61a0bcd5ef6a474ae5392f20cdd96e56ffe59da5d15ee3cd02b79570f66

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
92a6a9fc33919556f34df100d04e6506

SHA1
b7764c9af8e94f93b77988c458108d1cb305eccb

SHA256
a79e94c058b0f870bed28cac61cdc15e10a7536e8f99f9a5a2b19a6eee802a56

SHA512
c6adb3bf004e1c282fdb632dfb77a41c9c97db0763c6ddace39ce37ebe96c5b312cb3f9df2c6fc0ccc1dd181710fbff486bbd13761962c96b7ecf5b1fc9459aa

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
92a6a9fc33919556f34df100d04e6506

SHA1
b7764c9af8e94f93b77988c458108d1cb305eccb

SHA256
a79e94c058b0f870bed28cac61cdc15e10a7536e8f99f9a5a2b19a6eee802a56

SHA512
c6adb3bf004e1c282fdb632dfb77a41c9c97db0763c6ddace39ce37ebe96c5b312cb3f9df2c6fc0ccc1dd181710fbff486bbd13761962c96b7ecf5b1fc9459aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
b33c49258cf229585e9396d955244b90

SHA1
ac692083a3953db5c539e7989264af357aab46c7

SHA256
8ada2ff5924170c09f18ab8cd5c1a1883baae81cc7ce53d882ddbc387bb7bf83

SHA512
9c4e2fac630463c2ba02170a623c9d84c5686dda4dfd2d7be2ee669f01ff256af387dc15627fac2d6ab1c355a79b5fa506d7ef1e4bee0b7cd73c81adcf5889cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
b33c49258cf229585e9396d955244b90

SHA1
ac692083a3953db5c539e7989264af357aab46c7

SHA256
8ada2ff5924170c09f18ab8cd5c1a1883baae81cc7ce53d882ddbc387bb7bf83

SHA512
9c4e2fac630463c2ba02170a623c9d84c5686dda4dfd2d7be2ee669f01ff256af387dc15627fac2d6ab1c355a79b5fa506d7ef1e4bee0b7cd73c81adcf5889cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
07a48cee7c448ffa49a04aa20e0a0443

SHA1
5fe65594a35e914dc3f15c37864fb1be5af7182c

SHA256
704d993e8afd81fd6a2824248092a99170616f354c98bd12bc8506ca45f5c45e

SHA512
698d4d1eba21369fa85f30728e00aafa2373a198c774b8afb0d43a572e44037a649ec24d69336e7f24503da5c251d8b618cd90bec6e17aad42bb730792c3020e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
07a48cee7c448ffa49a04aa20e0a0443

SHA1
5fe65594a35e914dc3f15c37864fb1be5af7182c

SHA256
704d993e8afd81fd6a2824248092a99170616f354c98bd12bc8506ca45f5c45e

SHA512
698d4d1eba21369fa85f30728e00aafa2373a198c774b8afb0d43a572e44037a649ec24d69336e7f24503da5c251d8b618cd90bec6e17aad42bb730792c3020e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\data.exe

Filesize
72KB

MD5
ba2736f407213a1ccacf525b4e538705

SHA1
d14c4b89c977792cee76ba650d3d6b1484c2961a

SHA256
303e0edf961c091cf2b2d9379428c201063c32ceebe73a096a13cc2587005671

SHA512
00101e385a443f804265d75a5be63a35db02ea912fccc7508ee782b273db6924f57acc13b3e31f6c608e6ede31eb27e5434643f384534594a965bb6eb8cf8e3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\data.exe

Filesize
72KB

MD5
ba2736f407213a1ccacf525b4e538705

SHA1
d14c4b89c977792cee76ba650d3d6b1484c2961a

SHA256
303e0edf961c091cf2b2d9379428c201063c32ceebe73a096a13cc2587005671

SHA512
00101e385a443f804265d75a5be63a35db02ea912fccc7508ee782b273db6924f57acc13b3e31f6c608e6ede31eb27e5434643f384534594a965bb6eb8cf8e3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
ba2736f407213a1ccacf525b4e538705

SHA1
d14c4b89c977792cee76ba650d3d6b1484c2961a

SHA256
303e0edf961c091cf2b2d9379428c201063c32ceebe73a096a13cc2587005671

SHA512
00101e385a443f804265d75a5be63a35db02ea912fccc7508ee782b273db6924f57acc13b3e31f6c608e6ede31eb27e5434643f384534594a965bb6eb8cf8e3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
ba2736f407213a1ccacf525b4e538705

SHA1
d14c4b89c977792cee76ba650d3d6b1484c2961a

SHA256
303e0edf961c091cf2b2d9379428c201063c32ceebe73a096a13cc2587005671

SHA512
00101e385a443f804265d75a5be63a35db02ea912fccc7508ee782b273db6924f57acc13b3e31f6c608e6ede31eb27e5434643f384534594a965bb6eb8cf8e3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
5994fb5a96835a369846dea9a0880022

SHA1
2ab2f7d76cffc185bb6a029a5845c68b5465816b

SHA256
ebe5c62a1eff20464273867132296319e962264147790aa028bf3fad891c5bb3

SHA512
8edfbd1f84bc0cd15f72c436c0e321d716e71a4263b2c18976569b975f3f4111df021b9fabbeb1f54aea0d3d2d590a21531ca8b9f3f09bf4ae2a9d9df925e1b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
5994fb5a96835a369846dea9a0880022

SHA1
2ab2f7d76cffc185bb6a029a5845c68b5465816b

SHA256
ebe5c62a1eff20464273867132296319e962264147790aa028bf3fad891c5bb3

SHA512
8edfbd1f84bc0cd15f72c436c0e321d716e71a4263b2c18976569b975f3f4111df021b9fabbeb1f54aea0d3d2d590a21531ca8b9f3f09bf4ae2a9d9df925e1b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
6565f2d9ce4271754c92be5ff3864b68

SHA1
66f61aceae684baf2c8eb7a53d3b088521e79094

SHA256
0e22c165abdda86a02ea904c048716bea7172c625513156ec6f3ca59bb8f6bc3

SHA512
842f1cf90bbacb35b76e03753b417cce6b3cc47f9674ab0ffd3251dd2882a444154aac2ac1860b36e8d31d18b9991dabffac103005e709a9bf28f2acb746723d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
6565f2d9ce4271754c92be5ff3864b68

SHA1
66f61aceae684baf2c8eb7a53d3b088521e79094

SHA256
0e22c165abdda86a02ea904c048716bea7172c625513156ec6f3ca59bb8f6bc3

SHA512
842f1cf90bbacb35b76e03753b417cce6b3cc47f9674ab0ffd3251dd2882a444154aac2ac1860b36e8d31d18b9991dabffac103005e709a9bf28f2acb746723d

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
fb7a73115722a54214f0278b25354ee0

SHA1
ef8f4a78653281cad820f2a4b8ee90d1f85c76bd

SHA256
fe8c706bfffecfb8cd1c35ff875a6c4d54803334171f6218393b74dbf7ba617e

SHA512
c5e53d175994d8e5a13268728e5786f75aae456e19f0911e386d619986cd0746232955df9e6a1a297837e9e675e7c8254a665350b4fc228f3f4478397bd43beb

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
fb7a73115722a54214f0278b25354ee0

SHA1
ef8f4a78653281cad820f2a4b8ee90d1f85c76bd

SHA256
fe8c706bfffecfb8cd1c35ff875a6c4d54803334171f6218393b74dbf7ba617e

SHA512
c5e53d175994d8e5a13268728e5786f75aae456e19f0911e386d619986cd0746232955df9e6a1a297837e9e675e7c8254a665350b4fc228f3f4478397bd43beb

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
e2ade349b8bdf3643a8e9684616ee5ee

SHA1
41618b8854a6a65d813de8e86901c7df8f97e6fb

SHA256
e752693ae0cf3a01c681b0929a1fe7fb7ebb741fc279bed67310282f2eff4edc

SHA512
9e9c4bf0179abca8bd618b804b72a73939e0fd5aeb96b55bbca4b6391386814483c0624f7718c1cef12d50241db00cf90f4954d48ec02f0f35422816f86b3f9c

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
e2ade349b8bdf3643a8e9684616ee5ee

SHA1
41618b8854a6a65d813de8e86901c7df8f97e6fb

SHA256
e752693ae0cf3a01c681b0929a1fe7fb7ebb741fc279bed67310282f2eff4edc

SHA512
9e9c4bf0179abca8bd618b804b72a73939e0fd5aeb96b55bbca4b6391386814483c0624f7718c1cef12d50241db00cf90f4954d48ec02f0f35422816f86b3f9c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2aab9385e2c17488516863265956dffd

SHA1
83cc49d560c341971c9c755e11d169577bed4864

SHA256
667454fec272140ce5ec94bf8cecedc20f28c0f2f32cf2952de0e6f2ba1744bd

SHA512
af3c72e243479ab6fc12c56e850c84a9632f44b5c05851929b2defa2a3d32aeacf8511305f9ffd2ce284087267c521152e7c0aa983c35aac377a0b6d08f7efec

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2aab9385e2c17488516863265956dffd

SHA1
83cc49d560c341971c9c755e11d169577bed4864

SHA256
667454fec272140ce5ec94bf8cecedc20f28c0f2f32cf2952de0e6f2ba1744bd

SHA512
af3c72e243479ab6fc12c56e850c84a9632f44b5c05851929b2defa2a3d32aeacf8511305f9ffd2ce284087267c521152e7c0aa983c35aac377a0b6d08f7efec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1776851312\backup.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1776851312\backup.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b237a6824ed13e2dbb547386a1331ef0

SHA1
b87fb98ef55f2a89bb68f22a7b4c083eda167ee9

SHA256
293f699389f20f2e031d8665e29f51137d3d636eadbcef5b97663869799af395

SHA512
69f04735b87713f6d2e461ec1754287a3d89afe69a0b35f522ccae3905d5237bfd4cda06f7e61b435dd2024fba219037a57a699b3fa0548d69e0a6dd617a26a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b237a6824ed13e2dbb547386a1331ef0

SHA1
b87fb98ef55f2a89bb68f22a7b4c083eda167ee9

SHA256
293f699389f20f2e031d8665e29f51137d3d636eadbcef5b97663869799af395

SHA512
69f04735b87713f6d2e461ec1754287a3d89afe69a0b35f522ccae3905d5237bfd4cda06f7e61b435dd2024fba219037a57a699b3fa0548d69e0a6dd617a26a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b237a6824ed13e2dbb547386a1331ef0

SHA1
b87fb98ef55f2a89bb68f22a7b4c083eda167ee9

SHA256
293f699389f20f2e031d8665e29f51137d3d636eadbcef5b97663869799af395

SHA512
69f04735b87713f6d2e461ec1754287a3d89afe69a0b35f522ccae3905d5237bfd4cda06f7e61b435dd2024fba219037a57a699b3fa0548d69e0a6dd617a26a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b237a6824ed13e2dbb547386a1331ef0

SHA1
b87fb98ef55f2a89bb68f22a7b4c083eda167ee9

SHA256
293f699389f20f2e031d8665e29f51137d3d636eadbcef5b97663869799af395

SHA512
69f04735b87713f6d2e461ec1754287a3d89afe69a0b35f522ccae3905d5237bfd4cda06f7e61b435dd2024fba219037a57a699b3fa0548d69e0a6dd617a26a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\System Restore.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\System Restore.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
fff8d0453d50e452b545d2520a306797

SHA1
663c9afc5a987890a09b550b5a1d83743309c2be

SHA256
de4ea90a224e50e7490a6826d7d8c2317a099ec8e4db235e88fe58bedeb17ae5

SHA512
86f6cbba85fcaf005044c702f25f5371524e4e3a80b6e9dbd2965da1fc9584c6e782e2797304c56887e0085986517efb01198102e8489479b6f9b23ffe1a86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b237a6824ed13e2dbb547386a1331ef0

SHA1
b87fb98ef55f2a89bb68f22a7b4c083eda167ee9

SHA256
293f699389f20f2e031d8665e29f51137d3d636eadbcef5b97663869799af395

SHA512
69f04735b87713f6d2e461ec1754287a3d89afe69a0b35f522ccae3905d5237bfd4cda06f7e61b435dd2024fba219037a57a699b3fa0548d69e0a6dd617a26a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
b237a6824ed13e2dbb547386a1331ef0

SHA1
b87fb98ef55f2a89bb68f22a7b4c083eda167ee9

SHA256
293f699389f20f2e031d8665e29f51137d3d636eadbcef5b97663869799af395

SHA512
69f04735b87713f6d2e461ec1754287a3d89afe69a0b35f522ccae3905d5237bfd4cda06f7e61b435dd2024fba219037a57a699b3fa0548d69e0a6dd617a26a4

Download Submit
C:\backup.exe

Filesize
72KB

MD5
41976fe583962acbdc0a3485f154ad0f

SHA1
94a1b75b96b68863e794dfb551f3a3716fe25230

SHA256
cbc793771ade73046aea25f570c03225bc800e3247b0009b7e70504de11c6781

SHA512
df4add6e2ec815b864ff78aeb9c68d44e4c1f1fe22c42a72963e278eaac9a26ac5a06e22f4f07f99b9fc224e3784f8326590ae406d687e37412e6220da4b12a4

Download Submit
C:\backup.exe

Filesize
72KB

MD5
41976fe583962acbdc0a3485f154ad0f

SHA1
94a1b75b96b68863e794dfb551f3a3716fe25230

SHA256
cbc793771ade73046aea25f570c03225bc800e3247b0009b7e70504de11c6781

SHA512
df4add6e2ec815b864ff78aeb9c68d44e4c1f1fe22c42a72963e278eaac9a26ac5a06e22f4f07f99b9fc224e3784f8326590ae406d687e37412e6220da4b12a4

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
0e476f8e8f424f1cec7f93abe65b5e40

SHA1
abd876d9f45ed30a27677443c92f9c887b5b9423

SHA256
3e6fca3e54b5202f1c23e0b5fd66d8051619a196e2955676c6988f3a0b095b5f

SHA512
69eeabef22b69f5d8e36fa283dbb1e124939759f30d25b09042422e8dbd853e9a504104c2840c3f77476c4bd90828b12a6891e50b9d25e502694f803e708001b

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
0e476f8e8f424f1cec7f93abe65b5e40

SHA1
abd876d9f45ed30a27677443c92f9c887b5b9423

SHA256
3e6fca3e54b5202f1c23e0b5fd66d8051619a196e2955676c6988f3a0b095b5f

SHA512
69eeabef22b69f5d8e36fa283dbb1e124939759f30d25b09042422e8dbd853e9a504104c2840c3f77476c4bd90828b12a6891e50b9d25e502694f803e708001b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads