520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337

Analysis

max time kernel
188s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 14:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe
Size

72KB
MD5

033cff1a07ef15d8b7cb94c59626b8a0
SHA1

2812fa1f4a5eaaf83493018693dc0a2101d620e6
SHA256

520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337
SHA512

69a1cfceff3ec55e9df3bacf9a548b494a55e471ad1affbf0edabfae93bc9e2e92f4854ef9287ec7f1919361167ffab343e0ff272c8bd2baef576f3d78e3fd36
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2I:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP8

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1080	backup.exe
4224	backup.exe
3504	backup.exe
3900	backup.exe
4716	backup.exe
3748	backup.exe
1584	backup.exe
3524	backup.exe
1800	backup.exe
3856	backup.exe
4548	backup.exe
4584	backup.exe
3960	backup.exe
204	backup.exe
4508	backup.exe
728	backup.exe
444	backup.exe
4152	backup.exe
4796	backup.exe
3472	backup.exe
1512	backup.exe
4416	backup.exe
1740	backup.exe
2420	data.exe
2580	backup.exe
8	backup.exe
4972	backup.exe
4988	backup.exe
4216	backup.exe
2316	backup.exe
2616	backup.exe
4448	backup.exe
3204	backup.exe
3548	System Restore.exe
4784	backup.exe
4244	backup.exe
4776	backup.exe
3388	backup.exe
1208	backup.exe
748	backup.exe
3460	backup.exe
2872	backup.exe
2612	backup.exe
2352	backup.exe
3408	backup.exe
3420	backup.exe
3040	backup.exe
448	backup.exe
1580	backup.exe
4880	backup.exe
812	backup.exe
3488	backup.exe
4292	backup.exe
1756	backup.exe
948	backup.exe
2220	backup.exe
1932	backup.exe
3924	backup.exe
4344	backup.exe
2472	backup.exe
2764	backup.exe
1708	backup.exe
2456	backup.exe
4104	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\update.exe	update.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	data.exe
File opened for modification	C:\Windows\apppatch\de-DE\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\System Restore.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	System Restore.exe
File opened for modification	C:\Windows\appcompat\backup.exe	System Restore.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\data.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe
1080	backup.exe
4224	backup.exe
3504	backup.exe
3900	backup.exe
4716	backup.exe
3748	backup.exe
1584	backup.exe
3524	backup.exe
1800	backup.exe
3856	backup.exe
4548	backup.exe
4584	backup.exe
3960	backup.exe
204	backup.exe
4508	backup.exe
728	backup.exe
444	backup.exe
4152	backup.exe
4796	backup.exe
3472	backup.exe
1512	backup.exe
4416	backup.exe
1740	backup.exe
2420	data.exe
2580	backup.exe
8	backup.exe
4972	backup.exe
4988	backup.exe
4216	backup.exe
2316	backup.exe
2616	backup.exe
4448	backup.exe
3548	System Restore.exe
3204	backup.exe
4784	backup.exe
4244	backup.exe
4776	backup.exe
1208	backup.exe
3388	backup.exe
748	backup.exe
3460	backup.exe
2872	backup.exe
3420	backup.exe
2352	backup.exe
3408	backup.exe
2612	backup.exe
3040	backup.exe
448	backup.exe
1580	backup.exe
4880	backup.exe
812	backup.exe
4292	backup.exe
3488	backup.exe
1756	backup.exe
948	backup.exe
2220	backup.exe
1932	backup.exe
4344	backup.exe
3924	backup.exe
2472	backup.exe
2764	backup.exe
2456	backup.exe
1708	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1080	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	79
PID 4808 wrote to memory of 1080	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	79
PID 4808 wrote to memory of 1080	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	79
PID 4808 wrote to memory of 4224	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	80
PID 4808 wrote to memory of 4224	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	80
PID 4808 wrote to memory of 4224	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	80
PID 4808 wrote to memory of 3504	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	81
PID 4808 wrote to memory of 3504	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	81
PID 4808 wrote to memory of 3504	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	81
PID 4808 wrote to memory of 3900	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	82
PID 4808 wrote to memory of 3900	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	82
PID 4808 wrote to memory of 3900	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	82
PID 4808 wrote to memory of 4716	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	83
PID 4808 wrote to memory of 4716	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	83
PID 4808 wrote to memory of 4716	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	83
PID 1080 wrote to memory of 3748	1080	backup.exe	84
PID 1080 wrote to memory of 3748	1080	backup.exe	84
PID 1080 wrote to memory of 3748	1080	backup.exe	84
PID 4808 wrote to memory of 1584	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	85
PID 4808 wrote to memory of 1584	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	85
PID 4808 wrote to memory of 1584	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	85
PID 3748 wrote to memory of 3524	3748	backup.exe	86
PID 3748 wrote to memory of 3524	3748	backup.exe	86
PID 3748 wrote to memory of 3524	3748	backup.exe	86
PID 4808 wrote to memory of 1800	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	87
PID 4808 wrote to memory of 1800	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	87
PID 4808 wrote to memory of 1800	4808	520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe	87
PID 3748 wrote to memory of 3856	3748	backup.exe	88
PID 3748 wrote to memory of 3856	3748	backup.exe	88
PID 3748 wrote to memory of 3856	3748	backup.exe	88
PID 3748 wrote to memory of 4548	3748	backup.exe	89
PID 3748 wrote to memory of 4548	3748	backup.exe	89
PID 3748 wrote to memory of 4548	3748	backup.exe	89
PID 4548 wrote to memory of 4584	4548	backup.exe	90
PID 4548 wrote to memory of 4584	4548	backup.exe	90
PID 4548 wrote to memory of 4584	4548	backup.exe	90
PID 4584 wrote to memory of 3960	4584	backup.exe	91
PID 4584 wrote to memory of 3960	4584	backup.exe	91
PID 4584 wrote to memory of 3960	4584	backup.exe	91
PID 4548 wrote to memory of 204	4548	backup.exe	92
PID 4548 wrote to memory of 204	4548	backup.exe	92
PID 4548 wrote to memory of 204	4548	backup.exe	92
PID 204 wrote to memory of 4508	204	backup.exe	93
PID 204 wrote to memory of 4508	204	backup.exe	93
PID 204 wrote to memory of 4508	204	backup.exe	93
PID 204 wrote to memory of 728	204	backup.exe	94
PID 204 wrote to memory of 728	204	backup.exe	94
PID 204 wrote to memory of 728	204	backup.exe	94
PID 728 wrote to memory of 444	728	backup.exe	95
PID 728 wrote to memory of 444	728	backup.exe	95
PID 728 wrote to memory of 444	728	backup.exe	95
PID 728 wrote to memory of 4152	728	backup.exe	96
PID 728 wrote to memory of 4152	728	backup.exe	96
PID 728 wrote to memory of 4152	728	backup.exe	96
PID 4152 wrote to memory of 4796	4152	backup.exe	97
PID 4152 wrote to memory of 4796	4152	backup.exe	97
PID 4152 wrote to memory of 4796	4152	backup.exe	97
PID 4152 wrote to memory of 3472	4152	backup.exe	98
PID 4152 wrote to memory of 3472	4152	backup.exe	98
PID 4152 wrote to memory of 3472	4152	backup.exe	98
PID 4152 wrote to memory of 1512	4152	backup.exe	99
PID 4152 wrote to memory of 1512	4152	backup.exe	99
PID 4152 wrote to memory of 1512	4152	backup.exe	99
PID 4152 wrote to memory of 4416	4152	backup.exe	100

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe

C:\Users\Admin\AppData\Local\Temp\520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe
"C:\Users\Admin\AppData\Local\Temp\520775e51531b12507fe084b1037419fcd33faedab5fdd66c37ecfc4220dd337.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\1454421138\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1454421138\backup.exe C:\Users\Admin\AppData\Local\Temp\1454421138\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1080
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3524
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3856
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4548
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3960
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:204
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4508
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:444
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3472
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4972
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3408
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2764
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        
        PID:488
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:3220
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1748
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        System policy modification
        
        PID:3656
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4068
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4252
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:768
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1732
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        9⤵
        
        PID:1576
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        System policy modification
        
        PID:1752
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:1412
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1684
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:3784
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:4296
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2484
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:3512
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1708
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\update.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:1840
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:4724
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:4840
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3300
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        System policy modification
        
        PID:4204
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:1832
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3204
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3420
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:100
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:752
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:3360
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4968
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4636
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:1844
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3248
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:3236
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:5012
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3188
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4844
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:2244
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4448
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2872
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3488
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3984
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3500
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4516
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:4908
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1428
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1144
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3416
        
        C:\Program Files\Common Files\System\msadc\en-US\update.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\update.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3400
        
        C:\Program Files\Common Files\System\msadc\es-ES\data.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\data.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4500
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3136
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4324
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3676
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2784
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4212
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2152
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:4660
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4460
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4216
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4244
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:4104
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3924
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:4584
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4848
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        System policy modification
        
        PID:3148
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:2656
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:4452
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        System policy modification
        
        PID:4248
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4512
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:3956
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:748
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:3664
      - C:\Program Files\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files\Internet Explorer\it-IT\System Restore.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        System policy modification
        
        PID:4248
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        System policy modification
        
        PID:3460
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2900
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:444
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1580
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1628
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:3984
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        
        PID:3144
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\data.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:2692
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1884
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\update.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:4344
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:772
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:4352
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        Drops file in Program Files directory
        
        PID:4856
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\update.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        
        PID:1976
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:4932
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3920
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:4108
        
        C:\Program Files\Java\jre1.8.0_66\lib\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\data.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        
        PID:4384
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3252
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        System policy modification
        
        PID:3068
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:3704
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:5008
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:692
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:3528
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2276
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:2632
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        System policy modification
        
        PID:4052
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3120
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:204
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        System policy modification
        
        PID:3720
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:100
        
        C:\Program Files\Microsoft Office\Updates\Apply\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\data.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4408
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\
        9⤵
        
        PID:3208
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2524
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:1044
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:4460
      - C:\Program Files\Microsoft Office 15\ClientX64\update.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\update.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        System policy modification
        
        PID:4492
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:4468
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:3068
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2616
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4784
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        System policy modification
        
        PID:3576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:2196
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:2820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:3520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:4088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4252
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        System policy modification
        
        PID:2640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:3984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:4896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        System policy modification
        
        PID:4816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:4636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        System policy modification
        
        PID:4656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        System policy modification
        
        PID:1536
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1028
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:4108
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:3180
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2600
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        System policy modification
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:4232
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:4752
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:3496
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:4280
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:2964
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:912
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:3236
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:2192
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2304
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:3900
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        System policy modification
        
        PID:3348
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        Drops file in Program Files directory
        
        PID:3148
        
        C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\
        8⤵
        
        PID:4844
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3516
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:3656
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2436
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:2180
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2036
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:1428
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Disables RegEdit via registry modification
      PID:4148
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3832
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:408
      - C:\Users\Admin\Favorites\update.exe
        
        C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3220
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:2332
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:3928
      - C:\Users\Admin\Pictures\System Restore.exe
        
        "C:\Users\Admin\Pictures\System Restore.exe" C:\Users\Admin\Pictures\
        6⤵
        System policy modification
        
        PID:4992
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2940
    - - C:\Users\Public\data.exe
        
        C:\Users\Public\data.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2576
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4260
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3308
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4956
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2580
  - - C:\Windows\System Restore.exe
      "C:\Windows\System Restore.exe" C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:4040
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4640
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4284
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:3472
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
      - C:\Windows\apppatch\Custom\data.exe
        
        C:\Windows\apppatch\Custom\data.exe C:\Windows\apppatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4576
      - C:\Windows\apppatch\de-DE\update.exe
        
        C:\Windows\apppatch\de-DE\update.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:3420
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:3136
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3576
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:2484
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3504
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4716
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1800

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
1⤵
- Disables RegEdit via registry modification
PID:2848

C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
1⤵
PID:1148
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
  2⤵
  - System policy modification
  PID:1572

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
1⤵
PID:4312

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
1⤵
PID:3184

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
1⤵
- Disables RegEdit via registry modification
PID:1136

C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
1⤵
- Drops file in Program Files directory
PID:1544
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\update.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
  2⤵
  PID:4132
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
    3⤵
    - Drops file in Program Files directory
    PID:624
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
      4⤵
      PID:2124
    - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
      - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        6⤵
        
        PID:2828
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\System Restore.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5016

C:\Windows\appcompat\encapsulation\backup.exe
C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
1⤵
PID:648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
1⤵
- Modifies visibility of file extensions in Explorer
PID:4812

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
1⤵
- Drops file in Program Files directory
PID:5072
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
  2⤵
  - Drops file in Program Files directory
  PID:4104
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
    3⤵
    PID:4540
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
    3⤵
    PID:1732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
    3⤵
    PID:2352

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
1⤵
PID:2700

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
1⤵
- Modifies visibility of file extensions in Explorer
PID:1732

C:\Windows\appcompat\appraiser\backup.exe
C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
1⤵
- Disables RegEdit via registry modification
- Drops file in Windows directory
PID:1004

C:\Users\Admin\3D Objects\backup.exe
"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3576

C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
1⤵
PID:2612

C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\data.exe
"C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\data.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
1⤵
PID:3168

C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
1⤵
PID:648

C:\Program Files\Mozilla Firefox\browser\backup.exe
"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
1⤵
PID:1436
- C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
  "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
  2⤵
  PID:3192
- C:\Program Files\Mozilla Firefox\browser\features\backup.exe
  "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
  2⤵
  - Disables RegEdit via registry modification
  PID:4880

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
1⤵
PID:2764

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
1⤵
PID:2516

C:\Windows\apppatch\Custom\Custom64\backup.exe
C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
1⤵
PID:4784

C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
1⤵
- Disables RegEdit via registry modification
PID:3124

C:\Users\Admin\Pictures\Camera Roll\backup.exe
"C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
1⤵
PID:4428

C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
1⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
3bc96ef10dbdf71bbb235155a16af3fe

SHA1
5b0970782aa18c153cffbfe30b535c9e664964a0

SHA256
bacd8e97fcacad339fb35154c11e0165977808698e4a963f42e41c5bafdeca6f

SHA512
222361dbef96f7181e6e5d758f073aa03e63043f7561418f2b721d426759132c0c4cf5a434e3fda1af3802e43c98488ab2d8043e22f96eae7a4b3a2ad037a327

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
3bc96ef10dbdf71bbb235155a16af3fe

SHA1
5b0970782aa18c153cffbfe30b535c9e664964a0

SHA256
bacd8e97fcacad339fb35154c11e0165977808698e4a963f42e41c5bafdeca6f

SHA512
222361dbef96f7181e6e5d758f073aa03e63043f7561418f2b721d426759132c0c4cf5a434e3fda1af3802e43c98488ab2d8043e22f96eae7a4b3a2ad037a327

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
f6e9ce0c773aa0bf979c744a760020cd

SHA1
9cbe76e617031d1f081bd088cf74dacf1395a06a

SHA256
a3e8db12d3527986160f10f451e8a5dc721dbfc71b97defad8a1c4e01e38fba8

SHA512
6e2740166ef0f92169a02709bb8e56d170452083b360883e5446a0840fa9d1ec5bf97d5cd8d624de9cb4c6b880d4d16827607303efe53c223f7469859f0edef1

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
f6e9ce0c773aa0bf979c744a760020cd

SHA1
9cbe76e617031d1f081bd088cf74dacf1395a06a

SHA256
a3e8db12d3527986160f10f451e8a5dc721dbfc71b97defad8a1c4e01e38fba8

SHA512
6e2740166ef0f92169a02709bb8e56d170452083b360883e5446a0840fa9d1ec5bf97d5cd8d624de9cb4c6b880d4d16827607303efe53c223f7469859f0edef1

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
647f0d973298c4352bf21e6a543ee58f

SHA1
d2432875deb7907566c364058ad73ac9fad64254

SHA256
b77e10cbf9ab5d007a48dc24ddb762aa0316236a43c2ff2232293abc71e9dccf

SHA512
4fa533a3988b3aedd1dfc158956290bf3937934d163287156868c7dc9612af5c299ae60042f52b4349202af3557aa8e2425cd9954f8957c254b5b47ba5141125

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
647f0d973298c4352bf21e6a543ee58f

SHA1
d2432875deb7907566c364058ad73ac9fad64254

SHA256
b77e10cbf9ab5d007a48dc24ddb762aa0316236a43c2ff2232293abc71e9dccf

SHA512
4fa533a3988b3aedd1dfc158956290bf3937934d163287156868c7dc9612af5c299ae60042f52b4349202af3557aa8e2425cd9954f8957c254b5b47ba5141125

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
bae9d080607090d871d5c309a84d001d

SHA1
c1d98b95af9e80347feed8dc538451a3a4e27c05

SHA256
5ba9c7a65cc51062782a112b82977e0c9eb9b8ad8c15a5b272ce34e2987a3874

SHA512
bec35504d8df9fd952829d7071b28306daf28811fd3cce8ca556f515b38c1ea354de1fc0797f75df4b3d63ebacef33a7796ac36639b9394296a4616430bf60d3

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
bae9d080607090d871d5c309a84d001d

SHA1
c1d98b95af9e80347feed8dc538451a3a4e27c05

SHA256
5ba9c7a65cc51062782a112b82977e0c9eb9b8ad8c15a5b272ce34e2987a3874

SHA512
bec35504d8df9fd952829d7071b28306daf28811fd3cce8ca556f515b38c1ea354de1fc0797f75df4b3d63ebacef33a7796ac36639b9394296a4616430bf60d3

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
463874cc3fa0abdff32b1c43dd5a756e

SHA1
76faed1a7d88689574c33d5d86b8a34fdf20ef48

SHA256
3d24b7de4ad3dd02ade4e264ed502244e12ff3c0de7ec21d64cefb259dd9c06f

SHA512
330fa3924ff61dccd1159697c5d2eccd3c8c55b37306b985094a8369e9a992d17fcbd34416b0ca8f27698b1d47ce3dbbd1d63778281283c05e78926d4a79bcfa

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
463874cc3fa0abdff32b1c43dd5a756e

SHA1
76faed1a7d88689574c33d5d86b8a34fdf20ef48

SHA256
3d24b7de4ad3dd02ade4e264ed502244e12ff3c0de7ec21d64cefb259dd9c06f

SHA512
330fa3924ff61dccd1159697c5d2eccd3c8c55b37306b985094a8369e9a992d17fcbd34416b0ca8f27698b1d47ce3dbbd1d63778281283c05e78926d4a79bcfa

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
cd2bc1f73b6f55e215cae4d92de08912

SHA1
9ceb92d77069adc7f05a7526eb6520784bbfe08e

SHA256
906b4b4136f01167ba4ce30fa310d826f963958776c9f8e368efe9543ef1abfb

SHA512
aac43f8e5e161adcbb91a94823e4c67dfa668f63dac4ebf1b4d05058258fdc335ae0348e88f0fe34d7fd01b23ac3b13b2ac305c255513a426454f3462da62da4

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
cd2bc1f73b6f55e215cae4d92de08912

SHA1
9ceb92d77069adc7f05a7526eb6520784bbfe08e

SHA256
906b4b4136f01167ba4ce30fa310d826f963958776c9f8e368efe9543ef1abfb

SHA512
aac43f8e5e161adcbb91a94823e4c67dfa668f63dac4ebf1b4d05058258fdc335ae0348e88f0fe34d7fd01b23ac3b13b2ac305c255513a426454f3462da62da4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
cbeee97f76eee78889dec8b9543d6022

SHA1
855fb3f9a663fd6ea3f4708fb97f504671d27c33

SHA256
6ecdade07695c7d3bafcb904809256e5061b9460acd001381aacfab3d6e05d3c

SHA512
b48edd64ff35a5163f9a060d9a5984b78ac8c500386e6efc5a83eb495eaf92f62f0513d3bc030382b93fdcc69b18c112df6e4bca4431626ec332456ba3d129cb

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
cbeee97f76eee78889dec8b9543d6022

SHA1
855fb3f9a663fd6ea3f4708fb97f504671d27c33

SHA256
6ecdade07695c7d3bafcb904809256e5061b9460acd001381aacfab3d6e05d3c

SHA512
b48edd64ff35a5163f9a060d9a5984b78ac8c500386e6efc5a83eb495eaf92f62f0513d3bc030382b93fdcc69b18c112df6e4bca4431626ec332456ba3d129cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
4ecee0a2b76bb425ee85ef34de9f6151

SHA1
0bf64b240a626122597fe346b7bf11bf6420bb57

SHA256
8127e5e8333aa107963365489f9fbd912ec456d7a315da23348b0daa31c71a44

SHA512
fe8fb93d03571d374c7b0a05137e48940e2e9ccb79f95cc0fa21b178aef48b843e1042ae30e78ca5459e784eb02f3fe3e4fcec8e838c3a2583d43b9759f3bcec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
4ecee0a2b76bb425ee85ef34de9f6151

SHA1
0bf64b240a626122597fe346b7bf11bf6420bb57

SHA256
8127e5e8333aa107963365489f9fbd912ec456d7a315da23348b0daa31c71a44

SHA512
fe8fb93d03571d374c7b0a05137e48940e2e9ccb79f95cc0fa21b178aef48b843e1042ae30e78ca5459e784eb02f3fe3e4fcec8e838c3a2583d43b9759f3bcec

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
463874cc3fa0abdff32b1c43dd5a756e

SHA1
76faed1a7d88689574c33d5d86b8a34fdf20ef48

SHA256
3d24b7de4ad3dd02ade4e264ed502244e12ff3c0de7ec21d64cefb259dd9c06f

SHA512
330fa3924ff61dccd1159697c5d2eccd3c8c55b37306b985094a8369e9a992d17fcbd34416b0ca8f27698b1d47ce3dbbd1d63778281283c05e78926d4a79bcfa

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
463874cc3fa0abdff32b1c43dd5a756e

SHA1
76faed1a7d88689574c33d5d86b8a34fdf20ef48

SHA256
3d24b7de4ad3dd02ade4e264ed502244e12ff3c0de7ec21d64cefb259dd9c06f

SHA512
330fa3924ff61dccd1159697c5d2eccd3c8c55b37306b985094a8369e9a992d17fcbd34416b0ca8f27698b1d47ce3dbbd1d63778281283c05e78926d4a79bcfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
4ead09d7f6cae91dbe07d5c018d20baa

SHA1
8ee17b8df29c46da49fd5b359c3e50a223e5d6c8

SHA256
944d747d05b3bcc7cc231d4c233b3f55bd851047f9bc6959289a9baadaf52d80

SHA512
c7c9cc9e1847b651d2b19a5d13120e0430731cff84694fe8e6ae874efa9082deea191fc37331028f0016e5210ba33627e5b1b39ad7d30cacc9662dfe00bbd004

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
4ead09d7f6cae91dbe07d5c018d20baa

SHA1
8ee17b8df29c46da49fd5b359c3e50a223e5d6c8

SHA256
944d747d05b3bcc7cc231d4c233b3f55bd851047f9bc6959289a9baadaf52d80

SHA512
c7c9cc9e1847b651d2b19a5d13120e0430731cff84694fe8e6ae874efa9082deea191fc37331028f0016e5210ba33627e5b1b39ad7d30cacc9662dfe00bbd004

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
4ecee0a2b76bb425ee85ef34de9f6151

SHA1
0bf64b240a626122597fe346b7bf11bf6420bb57

SHA256
8127e5e8333aa107963365489f9fbd912ec456d7a315da23348b0daa31c71a44

SHA512
fe8fb93d03571d374c7b0a05137e48940e2e9ccb79f95cc0fa21b178aef48b843e1042ae30e78ca5459e784eb02f3fe3e4fcec8e838c3a2583d43b9759f3bcec

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
4ecee0a2b76bb425ee85ef34de9f6151

SHA1
0bf64b240a626122597fe346b7bf11bf6420bb57

SHA256
8127e5e8333aa107963365489f9fbd912ec456d7a315da23348b0daa31c71a44

SHA512
fe8fb93d03571d374c7b0a05137e48940e2e9ccb79f95cc0fa21b178aef48b843e1042ae30e78ca5459e784eb02f3fe3e4fcec8e838c3a2583d43b9759f3bcec

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\data.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
4324c37e763f81d49450466962db4d28

SHA1
33ab4599ce72d0d613268b18a3a8d759a9b2e320

SHA256
f862a3c13ff1d59b5131f6cfcf2a0398fe6b0255932c60e1e3d485680daf12ef

SHA512
72b7877d9077d4053f7c0cf9d6492634e70cf0d30195d37dfa45b453b06287e9e634d2df7b1ebef41204f523acd7add22c35b306f3ff2131d80bc1f5735c392c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
2e193c355a23f3aacb5dceccc27f65ca

SHA1
538ec70f6d207f861cf8fb63bdec3298ee56e7b7

SHA256
88a6f21d44b8548a1c66711593397fd8ef394c2da88c047eeb7e3a6c669d9135

SHA512
d70bb3b9f1c69eee0e84746cd2713e427bb25a72e942812b7fb871d85b75a6d233bc146401b454d6afc0a935cd4083cb4c658eb8b1b9682fab841ec197a5ccf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
2e193c355a23f3aacb5dceccc27f65ca

SHA1
538ec70f6d207f861cf8fb63bdec3298ee56e7b7

SHA256
88a6f21d44b8548a1c66711593397fd8ef394c2da88c047eeb7e3a6c669d9135

SHA512
d70bb3b9f1c69eee0e84746cd2713e427bb25a72e942812b7fb871d85b75a6d233bc146401b454d6afc0a935cd4083cb4c658eb8b1b9682fab841ec197a5ccf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
2e193c355a23f3aacb5dceccc27f65ca

SHA1
538ec70f6d207f861cf8fb63bdec3298ee56e7b7

SHA256
88a6f21d44b8548a1c66711593397fd8ef394c2da88c047eeb7e3a6c669d9135

SHA512
d70bb3b9f1c69eee0e84746cd2713e427bb25a72e942812b7fb871d85b75a6d233bc146401b454d6afc0a935cd4083cb4c658eb8b1b9682fab841ec197a5ccf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
2e193c355a23f3aacb5dceccc27f65ca

SHA1
538ec70f6d207f861cf8fb63bdec3298ee56e7b7

SHA256
88a6f21d44b8548a1c66711593397fd8ef394c2da88c047eeb7e3a6c669d9135

SHA512
d70bb3b9f1c69eee0e84746cd2713e427bb25a72e942812b7fb871d85b75a6d233bc146401b454d6afc0a935cd4083cb4c658eb8b1b9682fab841ec197a5ccf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
28e53fbde7ae44d269ec679e1e361e63

SHA1
e7ebf39df8a9ddc2c9e318e45a43bcbab58e3819

SHA256
f334b69d7a76e19ee6eff1e5af7ed69bf6c6c334abff703248ad1a73cdc5762d

SHA512
03bda085ef509e5069daf8e9012eb6f1e2611f2003ec74052f65c43be9e40d338701a147aa48a04c5f5be4d631452d042f8a4827b80ae64b17c631777691d3e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
28e53fbde7ae44d269ec679e1e361e63

SHA1
e7ebf39df8a9ddc2c9e318e45a43bcbab58e3819

SHA256
f334b69d7a76e19ee6eff1e5af7ed69bf6c6c334abff703248ad1a73cdc5762d

SHA512
03bda085ef509e5069daf8e9012eb6f1e2611f2003ec74052f65c43be9e40d338701a147aa48a04c5f5be4d631452d042f8a4827b80ae64b17c631777691d3e5

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
3d5c73d4faf47a4b9819bc42a9e460b0

SHA1
e9bd234b575a6402fe76d55753a09e5b064c41ec

SHA256
302c818128c81ef2d131eb4162ce8a399471b90cbe3aa6abf3fca4228243d5a3

SHA512
d477930d8199c4f2e187cff7548dd59cab47c24b2865d48392ae5243de54a64565cbefba440ea25871c40ddee132dcb603c0e0ca211532cb475bc618ba80466a

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
3d5c73d4faf47a4b9819bc42a9e460b0

SHA1
e9bd234b575a6402fe76d55753a09e5b064c41ec

SHA256
302c818128c81ef2d131eb4162ce8a399471b90cbe3aa6abf3fca4228243d5a3

SHA512
d477930d8199c4f2e187cff7548dd59cab47c24b2865d48392ae5243de54a64565cbefba440ea25871c40ddee132dcb603c0e0ca211532cb475bc618ba80466a

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3bc96ef10dbdf71bbb235155a16af3fe

SHA1
5b0970782aa18c153cffbfe30b535c9e664964a0

SHA256
bacd8e97fcacad339fb35154c11e0165977808698e4a963f42e41c5bafdeca6f

SHA512
222361dbef96f7181e6e5d758f073aa03e63043f7561418f2b721d426759132c0c4cf5a434e3fda1af3802e43c98488ab2d8043e22f96eae7a4b3a2ad037a327

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
3bc96ef10dbdf71bbb235155a16af3fe

SHA1
5b0970782aa18c153cffbfe30b535c9e664964a0

SHA256
bacd8e97fcacad339fb35154c11e0165977808698e4a963f42e41c5bafdeca6f

SHA512
222361dbef96f7181e6e5d758f073aa03e63043f7561418f2b721d426759132c0c4cf5a434e3fda1af3802e43c98488ab2d8043e22f96eae7a4b3a2ad037a327

Download Submit
C:\Users\Admin\AppData\Local\Temp\1454421138\backup.exe

Filesize
72KB

MD5
a1d447976d25267c8e43e80f3b4696cc

SHA1
0cfe52cf1ccd3c26bb1d6c25051581a76204ee1a

SHA256
d6efc441f720a9fea527cf0dff3d4b2514faecc31da7ad457179e6e519f5abf4

SHA512
40a1759ead3354fe345e08174bfbcecf3435c1ba254b65020c52adfd07c4536a0c546b5e9d763d13c6d91b38a500059acb8eaef6ee9745468583363ccd05a36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1454421138\backup.exe

Filesize
72KB

MD5
a1d447976d25267c8e43e80f3b4696cc

SHA1
0cfe52cf1ccd3c26bb1d6c25051581a76204ee1a

SHA256
d6efc441f720a9fea527cf0dff3d4b2514faecc31da7ad457179e6e519f5abf4

SHA512
40a1759ead3354fe345e08174bfbcecf3435c1ba254b65020c52adfd07c4536a0c546b5e9d763d13c6d91b38a500059acb8eaef6ee9745468583363ccd05a36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
18c38ebefdf2931798bc41d240c88711

SHA1
9b8c8fc6d70fde10f904d2912913e7123142d7c0

SHA256
ce3ef40c215c8001147b0df382271ed3139b1b9010c62a9becb6c034fc3d25d7

SHA512
9c6c05fa99a3b2afaa9f3e904e940e98bdccdc429760353a1fc3230c0a1e22d62efadedf0bdf341382da8622f77476e2259440cdb6a2489a2401485f8a9eaf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
18c38ebefdf2931798bc41d240c88711

SHA1
9b8c8fc6d70fde10f904d2912913e7123142d7c0

SHA256
ce3ef40c215c8001147b0df382271ed3139b1b9010c62a9becb6c034fc3d25d7

SHA512
9c6c05fa99a3b2afaa9f3e904e940e98bdccdc429760353a1fc3230c0a1e22d62efadedf0bdf341382da8622f77476e2259440cdb6a2489a2401485f8a9eaf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
2dcdaf4a803e156013881919966f630d

SHA1
f121732e77eafb4cd2aa04147dc2ca51371c6463

SHA256
089d24d7992cd08ce8868c466e2be2cbefcc063b02f13e4f8f1ac0ad6371df59

SHA512
8127f3b046637d67b94a06390534976ee347d86946f86a29966d5f1822fecccd88a1263fa97ee352c1be7f5eda669811cfdaafdc9e0d212e954587171ab58d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
18c38ebefdf2931798bc41d240c88711

SHA1
9b8c8fc6d70fde10f904d2912913e7123142d7c0

SHA256
ce3ef40c215c8001147b0df382271ed3139b1b9010c62a9becb6c034fc3d25d7

SHA512
9c6c05fa99a3b2afaa9f3e904e940e98bdccdc429760353a1fc3230c0a1e22d62efadedf0bdf341382da8622f77476e2259440cdb6a2489a2401485f8a9eaf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
18c38ebefdf2931798bc41d240c88711

SHA1
9b8c8fc6d70fde10f904d2912913e7123142d7c0

SHA256
ce3ef40c215c8001147b0df382271ed3139b1b9010c62a9becb6c034fc3d25d7

SHA512
9c6c05fa99a3b2afaa9f3e904e940e98bdccdc429760353a1fc3230c0a1e22d62efadedf0bdf341382da8622f77476e2259440cdb6a2489a2401485f8a9eaf4e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
628cc6a06ad9e515d489f50be8c6ff5e

SHA1
6c53b43d1b7f7b2984ec1683d1f8f4ba0e94d828

SHA256
08907ff9ff5657a5e65462b175b82184db09a75347f3684e2b9be38c415f5c27

SHA512
afd14682421b602c456d90e2dd0ae1bc73c927574019129fd897151bae1a3b9c76328d68fd72e12d3063236206a4caae1d3294629db00b6f8aace8eefd5c389a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
628cc6a06ad9e515d489f50be8c6ff5e

SHA1
6c53b43d1b7f7b2984ec1683d1f8f4ba0e94d828

SHA256
08907ff9ff5657a5e65462b175b82184db09a75347f3684e2b9be38c415f5c27

SHA512
afd14682421b602c456d90e2dd0ae1bc73c927574019129fd897151bae1a3b9c76328d68fd72e12d3063236206a4caae1d3294629db00b6f8aace8eefd5c389a

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
3bc96ef10dbdf71bbb235155a16af3fe

SHA1
5b0970782aa18c153cffbfe30b535c9e664964a0

SHA256
bacd8e97fcacad339fb35154c11e0165977808698e4a963f42e41c5bafdeca6f

SHA512
222361dbef96f7181e6e5d758f073aa03e63043f7561418f2b721d426759132c0c4cf5a434e3fda1af3802e43c98488ab2d8043e22f96eae7a4b3a2ad037a327

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
3bc96ef10dbdf71bbb235155a16af3fe

SHA1
5b0970782aa18c153cffbfe30b535c9e664964a0

SHA256
bacd8e97fcacad339fb35154c11e0165977808698e4a963f42e41c5bafdeca6f

SHA512
222361dbef96f7181e6e5d758f073aa03e63043f7561418f2b721d426759132c0c4cf5a434e3fda1af3802e43c98488ab2d8043e22f96eae7a4b3a2ad037a327

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads