5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677

Analysis

max time kernel
222s
max time network
231s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 19:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe
Size

72KB
MD5

03bad6f4962a35699408ca33479fd348
SHA1

e00fa698226319f4e4be2ec9a0bb52ee2556a70c
SHA256

5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677
SHA512

e8702cd7b4703c04767785552b96687db1b91d30cf70bcbc3db64a2c06caf88b3f8a8e141196f4fff886242f2bca100d5deff0559648560d1d806d66fd462845
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPRT:ieTce/U/hKYuKPV

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1836	backup.exe
4896	backup.exe
4832	backup.exe
2352	backup.exe
3444	backup.exe
880	backup.exe
1336	data.exe
3616	backup.exe
3568	backup.exe
924	backup.exe
1396	backup.exe
3708	backup.exe
2168	backup.exe
2124	backup.exe
3028	backup.exe
2156	backup.exe
3596	backup.exe
4512	backup.exe
2560	backup.exe
1164	backup.exe
1680	backup.exe
2636	update.exe
4000	backup.exe
1848	backup.exe
1828	backup.exe
2772	backup.exe
5000	backup.exe
3612	backup.exe
1740	backup.exe
3208	backup.exe
4824	backup.exe
1992	backup.exe
3540	backup.exe
4452	backup.exe
4316	backup.exe
3076	backup.exe
432	backup.exe
4800	backup.exe
1384	backup.exe
1888	update.exe
2500	backup.exe
4456	backup.exe
1388	backup.exe
972	backup.exe
4076	backup.exe
1124	backup.exe
428	backup.exe
544	backup.exe
3480	backup.exe
4140	backup.exe
4412	backup.exe
3592	backup.exe
2912	backup.exe
4788	backup.exe
4608	data.exe
3932	backup.exe
4844	backup.exe
3708	System Restore.exe
4524	data.exe
3596	data.exe
2468	backup.exe
5104	backup.exe
1636	backup.exe
4392	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\System Restore.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe
1836	backup.exe
4896	backup.exe
4832	backup.exe
2352	backup.exe
3444	backup.exe
880	backup.exe
1336	data.exe
3616	backup.exe
3568	backup.exe
924	backup.exe
1396	backup.exe
3708	backup.exe
2168	backup.exe
2124	backup.exe
3028	backup.exe
2156	backup.exe
3596	backup.exe
4512	backup.exe
2560	backup.exe
1164	backup.exe
1680	backup.exe
2636	update.exe
4000	backup.exe
1848	backup.exe
1828	backup.exe
2772	backup.exe
3612	backup.exe
5000	backup.exe
1740	backup.exe
3208	backup.exe
4824	backup.exe
1992	backup.exe
3540	backup.exe
4452	backup.exe
4316	backup.exe
432	backup.exe
3076	backup.exe
1384	backup.exe
1888	update.exe
4800	backup.exe
2500	backup.exe
4456	backup.exe
1388	backup.exe
1124	backup.exe
4076	backup.exe
544	backup.exe
428	backup.exe
3480	backup.exe
4140	backup.exe
4412	backup.exe
3592	backup.exe
4788	backup.exe
2912	backup.exe
4608	data.exe
3932	backup.exe
4844	backup.exe
3708	System Restore.exe
4524	data.exe
2468	backup.exe
3596	data.exe
1636	backup.exe
5104	backup.exe
3512	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 1836	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	83
PID 3680 wrote to memory of 1836	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	83
PID 3680 wrote to memory of 1836	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	83
PID 3680 wrote to memory of 4896	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	84
PID 3680 wrote to memory of 4896	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	84
PID 3680 wrote to memory of 4896	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	84
PID 3680 wrote to memory of 4832	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	85
PID 3680 wrote to memory of 4832	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	85
PID 3680 wrote to memory of 4832	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	85
PID 1836 wrote to memory of 2352	1836	backup.exe	86
PID 1836 wrote to memory of 2352	1836	backup.exe	86
PID 1836 wrote to memory of 2352	1836	backup.exe	86
PID 3680 wrote to memory of 3444	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	87
PID 3680 wrote to memory of 3444	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	87
PID 3680 wrote to memory of 3444	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	87
PID 2352 wrote to memory of 880	2352	backup.exe	88
PID 2352 wrote to memory of 880	2352	backup.exe	88
PID 2352 wrote to memory of 880	2352	backup.exe	88
PID 3680 wrote to memory of 1336	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	89
PID 3680 wrote to memory of 1336	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	89
PID 3680 wrote to memory of 1336	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	89
PID 2352 wrote to memory of 3616	2352	backup.exe	90
PID 2352 wrote to memory of 3616	2352	backup.exe	90
PID 2352 wrote to memory of 3616	2352	backup.exe	90
PID 3680 wrote to memory of 3568	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	91
PID 3680 wrote to memory of 3568	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	91
PID 3680 wrote to memory of 3568	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	91
PID 2352 wrote to memory of 924	2352	backup.exe	92
PID 2352 wrote to memory of 924	2352	backup.exe	92
PID 2352 wrote to memory of 924	2352	backup.exe	92
PID 3680 wrote to memory of 1396	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	93
PID 3680 wrote to memory of 1396	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	93
PID 3680 wrote to memory of 1396	3680	5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe	93
PID 924 wrote to memory of 3708	924	backup.exe	94
PID 924 wrote to memory of 3708	924	backup.exe	94
PID 924 wrote to memory of 3708	924	backup.exe	94
PID 3708 wrote to memory of 2168	3708	backup.exe	95
PID 3708 wrote to memory of 2168	3708	backup.exe	95
PID 3708 wrote to memory of 2168	3708	backup.exe	95
PID 924 wrote to memory of 2124	924	backup.exe	96
PID 924 wrote to memory of 2124	924	backup.exe	96
PID 924 wrote to memory of 2124	924	backup.exe	96
PID 2124 wrote to memory of 3028	2124	backup.exe	97
PID 2124 wrote to memory of 3028	2124	backup.exe	97
PID 2124 wrote to memory of 3028	2124	backup.exe	97
PID 2124 wrote to memory of 2156	2124	backup.exe	98
PID 2124 wrote to memory of 2156	2124	backup.exe	98
PID 2124 wrote to memory of 2156	2124	backup.exe	98
PID 2156 wrote to memory of 3596	2156	backup.exe	99
PID 2156 wrote to memory of 3596	2156	backup.exe	99
PID 2156 wrote to memory of 3596	2156	backup.exe	99
PID 2156 wrote to memory of 4512	2156	backup.exe	100
PID 2156 wrote to memory of 4512	2156	backup.exe	100
PID 2156 wrote to memory of 4512	2156	backup.exe	100
PID 4512 wrote to memory of 2560	4512	backup.exe	101
PID 4512 wrote to memory of 2560	4512	backup.exe	101
PID 4512 wrote to memory of 2560	4512	backup.exe	101
PID 4512 wrote to memory of 1164	4512	backup.exe	102
PID 4512 wrote to memory of 1164	4512	backup.exe	102
PID 4512 wrote to memory of 1164	4512	backup.exe	102
PID 4512 wrote to memory of 1680	4512	backup.exe	103
PID 4512 wrote to memory of 1680	4512	backup.exe	103
PID 4512 wrote to memory of 1680	4512	backup.exe	103
PID 4512 wrote to memory of 2636	4512	backup.exe	104

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe
"C:\Users\Admin\AppData\Local\Temp\5d07daa8020702353019f08c99b6f63bbf3cca926b71962a3cfc7a7ac7966677.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\225852786\backup.exe
  C:\Users\Admin\AppData\Local\Temp\225852786\backup.exe C:\Users\Admin\AppData\Local\Temp\225852786\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:880
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3616
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:924
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2156
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4512
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\update.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4000
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:432
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4076
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4788
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2128
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2484
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        System policy modification
        
        PID:4048
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2824
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2616
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:2208
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4900
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:4108
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        System policy modification
        
        PID:3228
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:3444
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1312
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3676
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:432
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2172
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        System policy modification
        
        PID:2212
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:388
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4452
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4140
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4608
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System policy modification
        
        PID:4392
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:988
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:2140
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4260
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:4420
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:1744
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:112
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        System policy modification
        
        PID:3672
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:1160
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3612
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4824
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3076
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:972
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3932
        
        C:\Program Files\Common Files\System\ado\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\data.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:3944
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:2500
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4528
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:4092
        
        C:\Program Files\Common Files\System\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\es-ES\System Restore.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2480
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Program Files\Common Files\System\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\it-IT\data.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:4484
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:3068
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2956
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3864
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1440
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5000
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1992
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4456
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:428
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5104
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4916
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        System policy modification
        
        PID:3704
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        System policy modification
        
        PID:5016
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1924
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:392
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:2856
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2712
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4524
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:3600
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:4904
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4076
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3156
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4820
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:448
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:4708
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3284
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        
        PID:4100
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1840
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:3696
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:5088
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:1924
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1536
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Disables RegEdit via registry modification
        
        PID:652
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Drops file in Program Files directory
        
        PID:1588
      - C:\Program Files\Microsoft Office 15\ClientX64\update.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\update.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        System policy modification
        
        PID:760
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2772
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3540
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:2136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4344
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        System policy modification
        
        PID:3640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:4544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:4592
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:3428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:4404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:2484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:4592
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        System policy modification
        
        PID:4840
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2468
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:892
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2120
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2128
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:2564
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:2428
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        System policy modification
        
        PID:4464
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:952
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        System policy modification
        
        PID:2144
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:1672
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4316
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1256
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:4864
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1560
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1116
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        System policy modification
        
        PID:5064
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1952
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:4360
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3468
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:856
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:3868
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:632
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1636
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:4068
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:4252
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:3956
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1964
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4304
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4660
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:64
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2056
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2416
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3704
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:3864
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:3732
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4644
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:3648
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        System policy modification
        
        PID:1320
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4996
      - C:\Windows\appcompat\appraiser\System Restore.exe
        
        "C:\Windows\appcompat\appraiser\System Restore.exe" C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:896
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3448
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:2308
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:4316
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:1060
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:3536
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3444
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1396

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
1⤵
- Drops file in Program Files directory
PID:3048
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
  2⤵
  PID:1752

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
1⤵
PID:1736

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
1⤵
- Drops file in Program Files directory
PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
  2⤵
  PID:1792

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
1⤵
PID:2316

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
1c792684f82889ec49835a5b229d4b98

SHA1
21031dd0d33b2ce250705228fea6e1848bee9b04

SHA256
52376ff4229cf369355ba752d7f3427c35c32e3b071bf7624d8a32bbfacb2db8

SHA512
138064c369dbc4c8e76876d139d4706e05ad02e1ce6a2d5ea8565d3261eaecde4b17f749882dba6740989db020af9070951e916b2741e87b369cf7aa7eb2f73c

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
1c792684f82889ec49835a5b229d4b98

SHA1
21031dd0d33b2ce250705228fea6e1848bee9b04

SHA256
52376ff4229cf369355ba752d7f3427c35c32e3b071bf7624d8a32bbfacb2db8

SHA512
138064c369dbc4c8e76876d139d4706e05ad02e1ce6a2d5ea8565d3261eaecde4b17f749882dba6740989db020af9070951e916b2741e87b369cf7aa7eb2f73c

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
2c1dbc05324cc9d8978e47889195a6c8

SHA1
e84de5f73b105ab8382dc00f6bf3fc3fb1ba9447

SHA256
cd51085c38a86ac041ce69491d9799e130e17e28ace7ea260e8891dd0e4e4b0e

SHA512
da865ea2a7d559cd5593d8dbe650550392b130e659d5719461588a7659f16c290dad88fd7fe3412a8ac6db136a3cf6dee55ee252f2006ab532766746032a9697

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
2c1dbc05324cc9d8978e47889195a6c8

SHA1
e84de5f73b105ab8382dc00f6bf3fc3fb1ba9447

SHA256
cd51085c38a86ac041ce69491d9799e130e17e28ace7ea260e8891dd0e4e4b0e

SHA512
da865ea2a7d559cd5593d8dbe650550392b130e659d5719461588a7659f16c290dad88fd7fe3412a8ac6db136a3cf6dee55ee252f2006ab532766746032a9697

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
594a8a2fe20c4ee17480fcd9f661e27f

SHA1
436f02be9bcbe7a1dac000733acee2eae6246418

SHA256
df67a3cafb7435eeddf83e3d2c5941d8bcfa6168d813aa8e43b67769bd4aeeca

SHA512
497055508993b22b3978f1a5adc3f779c0155146c51bee3ad587c0148e00f48d0daaf536170dfc3b110b2cb41cec46941e16ebc72efcd8541fb39f36fff3dea7

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
594a8a2fe20c4ee17480fcd9f661e27f

SHA1
436f02be9bcbe7a1dac000733acee2eae6246418

SHA256
df67a3cafb7435eeddf83e3d2c5941d8bcfa6168d813aa8e43b67769bd4aeeca

SHA512
497055508993b22b3978f1a5adc3f779c0155146c51bee3ad587c0148e00f48d0daaf536170dfc3b110b2cb41cec46941e16ebc72efcd8541fb39f36fff3dea7

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0c74554398b89fb5213b22189d0e4e9a

SHA1
a2e71596fbfdef38b973469685ae9d2e9873730c

SHA256
b09e8be3e09f07506bb95067da75674d3d44bef3f56da6b3a4422bde435e15a2

SHA512
808eccedaacb0b180264818810a66034b9733ac7ea0cd20aa0dfe35d25d8841806cd416f0d4ce8d78b66ef3ff284db46e3945d309c5cf2a9095d4eae3d36e755

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0c74554398b89fb5213b22189d0e4e9a

SHA1
a2e71596fbfdef38b973469685ae9d2e9873730c

SHA256
b09e8be3e09f07506bb95067da75674d3d44bef3f56da6b3a4422bde435e15a2

SHA512
808eccedaacb0b180264818810a66034b9733ac7ea0cd20aa0dfe35d25d8841806cd416f0d4ce8d78b66ef3ff284db46e3945d309c5cf2a9095d4eae3d36e755

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
594a8a2fe20c4ee17480fcd9f661e27f

SHA1
436f02be9bcbe7a1dac000733acee2eae6246418

SHA256
df67a3cafb7435eeddf83e3d2c5941d8bcfa6168d813aa8e43b67769bd4aeeca

SHA512
497055508993b22b3978f1a5adc3f779c0155146c51bee3ad587c0148e00f48d0daaf536170dfc3b110b2cb41cec46941e16ebc72efcd8541fb39f36fff3dea7

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
594a8a2fe20c4ee17480fcd9f661e27f

SHA1
436f02be9bcbe7a1dac000733acee2eae6246418

SHA256
df67a3cafb7435eeddf83e3d2c5941d8bcfa6168d813aa8e43b67769bd4aeeca

SHA512
497055508993b22b3978f1a5adc3f779c0155146c51bee3ad587c0148e00f48d0daaf536170dfc3b110b2cb41cec46941e16ebc72efcd8541fb39f36fff3dea7

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
da7e025792c97d20202ba3ffde69ef84

SHA1
1257c9e8f62f6bd3040cbdc86543ed00ab461672

SHA256
41b49180ac62178971dc17656977b434ff3f77e76044091f309bd047a64c33a3

SHA512
ad59faadeb508a05701fb50fd6cf652ce7990efa6112ab02ae36dc729614b9b01dab070941ed5156dbd38df440a6150b28aa2ead693b629c6f9554eb862a3614

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
da7e025792c97d20202ba3ffde69ef84

SHA1
1257c9e8f62f6bd3040cbdc86543ed00ab461672

SHA256
41b49180ac62178971dc17656977b434ff3f77e76044091f309bd047a64c33a3

SHA512
ad59faadeb508a05701fb50fd6cf652ce7990efa6112ab02ae36dc729614b9b01dab070941ed5156dbd38df440a6150b28aa2ead693b629c6f9554eb862a3614

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
da7e025792c97d20202ba3ffde69ef84

SHA1
1257c9e8f62f6bd3040cbdc86543ed00ab461672

SHA256
41b49180ac62178971dc17656977b434ff3f77e76044091f309bd047a64c33a3

SHA512
ad59faadeb508a05701fb50fd6cf652ce7990efa6112ab02ae36dc729614b9b01dab070941ed5156dbd38df440a6150b28aa2ead693b629c6f9554eb862a3614

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
da7e025792c97d20202ba3ffde69ef84

SHA1
1257c9e8f62f6bd3040cbdc86543ed00ab461672

SHA256
41b49180ac62178971dc17656977b434ff3f77e76044091f309bd047a64c33a3

SHA512
ad59faadeb508a05701fb50fd6cf652ce7990efa6112ab02ae36dc729614b9b01dab070941ed5156dbd38df440a6150b28aa2ead693b629c6f9554eb862a3614

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0c74554398b89fb5213b22189d0e4e9a

SHA1
a2e71596fbfdef38b973469685ae9d2e9873730c

SHA256
b09e8be3e09f07506bb95067da75674d3d44bef3f56da6b3a4422bde435e15a2

SHA512
808eccedaacb0b180264818810a66034b9733ac7ea0cd20aa0dfe35d25d8841806cd416f0d4ce8d78b66ef3ff284db46e3945d309c5cf2a9095d4eae3d36e755

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0c74554398b89fb5213b22189d0e4e9a

SHA1
a2e71596fbfdef38b973469685ae9d2e9873730c

SHA256
b09e8be3e09f07506bb95067da75674d3d44bef3f56da6b3a4422bde435e15a2

SHA512
808eccedaacb0b180264818810a66034b9733ac7ea0cd20aa0dfe35d25d8841806cd416f0d4ce8d78b66ef3ff284db46e3945d309c5cf2a9095d4eae3d36e755

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
9162f90132b4fecdf4fc1e509ab2f13c

SHA1
60d66eba3714e75c4b69d09ff66656d04fa50b91

SHA256
f58dd54647d650cee1aec644f9071c96fde77f4ccf29f21ad6609c271ba96786

SHA512
10ed35029551fa837d32a3c099d9d2150c01361a084e253f506cf04463f2704e8cd5be73a8f7f85b80c291d861f29fcc565e9e32e73f17b8e4d4ca0561d56fb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
9162f90132b4fecdf4fc1e509ab2f13c

SHA1
60d66eba3714e75c4b69d09ff66656d04fa50b91

SHA256
f58dd54647d650cee1aec644f9071c96fde77f4ccf29f21ad6609c271ba96786

SHA512
10ed35029551fa837d32a3c099d9d2150c01361a084e253f506cf04463f2704e8cd5be73a8f7f85b80c291d861f29fcc565e9e32e73f17b8e4d4ca0561d56fb5

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
ac707f84ad6853b31266a811eb9cc562

SHA1
ee6c0e68e672f73ff78501ae0a3b501a49e58456

SHA256
98510be8b784ad32342537aa6dec812d719f98871178ee5f5be15412fbea4b21

SHA512
92f30e3546ce4bd3064351c1bcc79117688c6d0a7038b4400d32f77a4958379bafe5f7c3b0d1919647c6bddba2f5b4d5805c1ac210cb06b89571dffadeda9083

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
ac707f84ad6853b31266a811eb9cc562

SHA1
ee6c0e68e672f73ff78501ae0a3b501a49e58456

SHA256
98510be8b784ad32342537aa6dec812d719f98871178ee5f5be15412fbea4b21

SHA512
92f30e3546ce4bd3064351c1bcc79117688c6d0a7038b4400d32f77a4958379bafe5f7c3b0d1919647c6bddba2f5b4d5805c1ac210cb06b89571dffadeda9083

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
594a8a2fe20c4ee17480fcd9f661e27f

SHA1
436f02be9bcbe7a1dac000733acee2eae6246418

SHA256
df67a3cafb7435eeddf83e3d2c5941d8bcfa6168d813aa8e43b67769bd4aeeca

SHA512
497055508993b22b3978f1a5adc3f779c0155146c51bee3ad587c0148e00f48d0daaf536170dfc3b110b2cb41cec46941e16ebc72efcd8541fb39f36fff3dea7

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
594a8a2fe20c4ee17480fcd9f661e27f

SHA1
436f02be9bcbe7a1dac000733acee2eae6246418

SHA256
df67a3cafb7435eeddf83e3d2c5941d8bcfa6168d813aa8e43b67769bd4aeeca

SHA512
497055508993b22b3978f1a5adc3f779c0155146c51bee3ad587c0148e00f48d0daaf536170dfc3b110b2cb41cec46941e16ebc72efcd8541fb39f36fff3dea7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
56c91afa6d872000b5d6ab38ee3d20d0

SHA1
4a842667f83427474b176db9c3d10f1baa625386

SHA256
89bce7df885374c8ea0df25b63ddff585f923296c02789e5fcff008ac4ef77ad

SHA512
87d4c8cf177e1cecf71cf8c253e79e9fce64b58b0cfafb1da158428b845dc2ae98a892b3051e6314407a27ece80622785f9fb2933a18dfe8810c06beb035cb6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
56c91afa6d872000b5d6ab38ee3d20d0

SHA1
4a842667f83427474b176db9c3d10f1baa625386

SHA256
89bce7df885374c8ea0df25b63ddff585f923296c02789e5fcff008ac4ef77ad

SHA512
87d4c8cf177e1cecf71cf8c253e79e9fce64b58b0cfafb1da158428b845dc2ae98a892b3051e6314407a27ece80622785f9fb2933a18dfe8810c06beb035cb6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
9162f90132b4fecdf4fc1e509ab2f13c

SHA1
60d66eba3714e75c4b69d09ff66656d04fa50b91

SHA256
f58dd54647d650cee1aec644f9071c96fde77f4ccf29f21ad6609c271ba96786

SHA512
10ed35029551fa837d32a3c099d9d2150c01361a084e253f506cf04463f2704e8cd5be73a8f7f85b80c291d861f29fcc565e9e32e73f17b8e4d4ca0561d56fb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
9162f90132b4fecdf4fc1e509ab2f13c

SHA1
60d66eba3714e75c4b69d09ff66656d04fa50b91

SHA256
f58dd54647d650cee1aec644f9071c96fde77f4ccf29f21ad6609c271ba96786

SHA512
10ed35029551fa837d32a3c099d9d2150c01361a084e253f506cf04463f2704e8cd5be73a8f7f85b80c291d861f29fcc565e9e32e73f17b8e4d4ca0561d56fb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
56c91afa6d872000b5d6ab38ee3d20d0

SHA1
4a842667f83427474b176db9c3d10f1baa625386

SHA256
89bce7df885374c8ea0df25b63ddff585f923296c02789e5fcff008ac4ef77ad

SHA512
87d4c8cf177e1cecf71cf8c253e79e9fce64b58b0cfafb1da158428b845dc2ae98a892b3051e6314407a27ece80622785f9fb2933a18dfe8810c06beb035cb6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
56c91afa6d872000b5d6ab38ee3d20d0

SHA1
4a842667f83427474b176db9c3d10f1baa625386

SHA256
89bce7df885374c8ea0df25b63ddff585f923296c02789e5fcff008ac4ef77ad

SHA512
87d4c8cf177e1cecf71cf8c253e79e9fce64b58b0cfafb1da158428b845dc2ae98a892b3051e6314407a27ece80622785f9fb2933a18dfe8810c06beb035cb6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
56c91afa6d872000b5d6ab38ee3d20d0

SHA1
4a842667f83427474b176db9c3d10f1baa625386

SHA256
89bce7df885374c8ea0df25b63ddff585f923296c02789e5fcff008ac4ef77ad

SHA512
87d4c8cf177e1cecf71cf8c253e79e9fce64b58b0cfafb1da158428b845dc2ae98a892b3051e6314407a27ece80622785f9fb2933a18dfe8810c06beb035cb6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
56c91afa6d872000b5d6ab38ee3d20d0

SHA1
4a842667f83427474b176db9c3d10f1baa625386

SHA256
89bce7df885374c8ea0df25b63ddff585f923296c02789e5fcff008ac4ef77ad

SHA512
87d4c8cf177e1cecf71cf8c253e79e9fce64b58b0cfafb1da158428b845dc2ae98a892b3051e6314407a27ece80622785f9fb2933a18dfe8810c06beb035cb6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\update.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\update.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
d3e9e3e02fea5a4877a5537066de8f5d

SHA1
212c81cabd09b5853480b292b42f3c9a4a7694b3

SHA256
377133478d27aa8001f50a69a61f46935245b5a8f807476616b96c9d413d3c3e

SHA512
f23694a7dc219df7945d238b9cdf0ab5738484e6c1b80b9ce0fb78dab8ae414124d9b436e6e59c442cf115a5c34a43408463f59398df7d032ba14ea12416dd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
ba1195196851cee55d89edfd2414643e

SHA1
3d9f135fa447690e0c479cf6f3fa8bca7c578f84

SHA256
e7b462bf3dd5659475f60abc685ce3effa93b353a40ab44fe64ee71cdcc96768

SHA512
a850d507002fbc5da117b08d36ffba707e5410a43460f9ed63d1721a286bd3b9c405d8a75d66e5148d32f7e8f293cfa8ae31fd342f70eeb74a3544fd7d63dfda

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
ba1195196851cee55d89edfd2414643e

SHA1
3d9f135fa447690e0c479cf6f3fa8bca7c578f84

SHA256
e7b462bf3dd5659475f60abc685ce3effa93b353a40ab44fe64ee71cdcc96768

SHA512
a850d507002fbc5da117b08d36ffba707e5410a43460f9ed63d1721a286bd3b9c405d8a75d66e5148d32f7e8f293cfa8ae31fd342f70eeb74a3544fd7d63dfda

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
1048515b44fd9ba5410fb910ec5fd98a

SHA1
9fb3f62290fe1c40e0b97f533ac9b980810ffccd

SHA256
ee20a2b5ff6acf5ee3750ed0d3406456b55360fa0d5da7541096248e5a9288ad

SHA512
bd130e5545fb7734422995d6aeb278918234d3afef5afaecf13b770d6202504937ee3ae54de55ae5a78cea5e4eb19b1ddf68d21b29bcd7e500b80788b6c587f4

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
1048515b44fd9ba5410fb910ec5fd98a

SHA1
9fb3f62290fe1c40e0b97f533ac9b980810ffccd

SHA256
ee20a2b5ff6acf5ee3750ed0d3406456b55360fa0d5da7541096248e5a9288ad

SHA512
bd130e5545fb7734422995d6aeb278918234d3afef5afaecf13b770d6202504937ee3ae54de55ae5a78cea5e4eb19b1ddf68d21b29bcd7e500b80788b6c587f4

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
d14eb6ccb0721814ca47c2374f769417

SHA1
86c0a1160bd5e135577beeb31f6fcde02988919d

SHA256
70f69faf333a659431b90fb0ba3e4c6f5fbad0548cdb3be0ca0018ffc190ac1a

SHA512
3f1d159097cc47c1ded1e402c188e9bb143e2468f456b188e54d4808c1bd6cb7c59ac97b1584b0d87463637c678524646531e723e26acc68c4d0b97807744030

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
d14eb6ccb0721814ca47c2374f769417

SHA1
86c0a1160bd5e135577beeb31f6fcde02988919d

SHA256
70f69faf333a659431b90fb0ba3e4c6f5fbad0548cdb3be0ca0018ffc190ac1a

SHA512
3f1d159097cc47c1ded1e402c188e9bb143e2468f456b188e54d4808c1bd6cb7c59ac97b1584b0d87463637c678524646531e723e26acc68c4d0b97807744030

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
1c792684f82889ec49835a5b229d4b98

SHA1
21031dd0d33b2ce250705228fea6e1848bee9b04

SHA256
52376ff4229cf369355ba752d7f3427c35c32e3b071bf7624d8a32bbfacb2db8

SHA512
138064c369dbc4c8e76876d139d4706e05ad02e1ce6a2d5ea8565d3261eaecde4b17f749882dba6740989db020af9070951e916b2741e87b369cf7aa7eb2f73c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
1c792684f82889ec49835a5b229d4b98

SHA1
21031dd0d33b2ce250705228fea6e1848bee9b04

SHA256
52376ff4229cf369355ba752d7f3427c35c32e3b071bf7624d8a32bbfacb2db8

SHA512
138064c369dbc4c8e76876d139d4706e05ad02e1ce6a2d5ea8565d3261eaecde4b17f749882dba6740989db020af9070951e916b2741e87b369cf7aa7eb2f73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\225852786\backup.exe

Filesize
72KB

MD5
42c240a666a13ceb9a58f439f3dd9cad

SHA1
07b3fba2007323b53036cc9b43ca47ee75406ace

SHA256
569dc8e4b9c50160f8c99ab15673158878fe8c88416f9346d5732aed6b670a22

SHA512
958365ef57b2ef8e607b003c0c9b503d75c00816604a84f6bc6e180f3cd49d32ca7bd8d6a2a7d08ca64a2666a59a620b69ba81e1d460cb63df6b63f974f9db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\225852786\backup.exe

Filesize
72KB

MD5
42c240a666a13ceb9a58f439f3dd9cad

SHA1
07b3fba2007323b53036cc9b43ca47ee75406ace

SHA256
569dc8e4b9c50160f8c99ab15673158878fe8c88416f9346d5732aed6b670a22

SHA512
958365ef57b2ef8e607b003c0c9b503d75c00816604a84f6bc6e180f3cd49d32ca7bd8d6a2a7d08ca64a2666a59a620b69ba81e1d460cb63df6b63f974f9db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
42c240a666a13ceb9a58f439f3dd9cad

SHA1
07b3fba2007323b53036cc9b43ca47ee75406ace

SHA256
569dc8e4b9c50160f8c99ab15673158878fe8c88416f9346d5732aed6b670a22

SHA512
958365ef57b2ef8e607b003c0c9b503d75c00816604a84f6bc6e180f3cd49d32ca7bd8d6a2a7d08ca64a2666a59a620b69ba81e1d460cb63df6b63f974f9db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
42c240a666a13ceb9a58f439f3dd9cad

SHA1
07b3fba2007323b53036cc9b43ca47ee75406ace

SHA256
569dc8e4b9c50160f8c99ab15673158878fe8c88416f9346d5732aed6b670a22

SHA512
958365ef57b2ef8e607b003c0c9b503d75c00816604a84f6bc6e180f3cd49d32ca7bd8d6a2a7d08ca64a2666a59a620b69ba81e1d460cb63df6b63f974f9db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
42c240a666a13ceb9a58f439f3dd9cad

SHA1
07b3fba2007323b53036cc9b43ca47ee75406ace

SHA256
569dc8e4b9c50160f8c99ab15673158878fe8c88416f9346d5732aed6b670a22

SHA512
958365ef57b2ef8e607b003c0c9b503d75c00816604a84f6bc6e180f3cd49d32ca7bd8d6a2a7d08ca64a2666a59a620b69ba81e1d460cb63df6b63f974f9db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
42c240a666a13ceb9a58f439f3dd9cad

SHA1
07b3fba2007323b53036cc9b43ca47ee75406ace

SHA256
569dc8e4b9c50160f8c99ab15673158878fe8c88416f9346d5732aed6b670a22

SHA512
958365ef57b2ef8e607b003c0c9b503d75c00816604a84f6bc6e180f3cd49d32ca7bd8d6a2a7d08ca64a2666a59a620b69ba81e1d460cb63df6b63f974f9db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a26636a136e13b70cd93d9584bf0c195

SHA1
41c2d08ce2d68248592e7bc31c16c79d58f78338

SHA256
4e4d9f34161530f4d778cc197e1fec89d67b2fbce8524c03d2c2b8b6474f24d7

SHA512
3ba66daf7ff6438cf0b096e2f4ff7f54218f79bee0114126182f767f6b176b7832b2d00145f9fe346615277c4b54311d4decd97bb8e4d5bde74c31ac38f5f8b0

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f75d0642a376a748a23fea65c6f5a0c5

SHA1
c9971ecf7593d93db4653c1b363d209e2bcf7c12

SHA256
18a574a017e5d68379785e0763501d77d38eedab07e7cc1a95c1af49df1d0cdf

SHA512
deb4046243ac8b83bcde1857e5fd40b41f97df58c1824da254f13b8a337bb97a0bb2138cac560df418cfd7d9bd27f659909bc2c651411e285ee6ea149c26bd08

Download Submit
C:\backup.exe

Filesize
72KB

MD5
f75d0642a376a748a23fea65c6f5a0c5

SHA1
c9971ecf7593d93db4653c1b363d209e2bcf7c12

SHA256
18a574a017e5d68379785e0763501d77d38eedab07e7cc1a95c1af49df1d0cdf

SHA512
deb4046243ac8b83bcde1857e5fd40b41f97df58c1824da254f13b8a337bb97a0bb2138cac560df418cfd7d9bd27f659909bc2c651411e285ee6ea149c26bd08

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
1c792684f82889ec49835a5b229d4b98

SHA1
21031dd0d33b2ce250705228fea6e1848bee9b04

SHA256
52376ff4229cf369355ba752d7f3427c35c32e3b071bf7624d8a32bbfacb2db8

SHA512
138064c369dbc4c8e76876d139d4706e05ad02e1ce6a2d5ea8565d3261eaecde4b17f749882dba6740989db020af9070951e916b2741e87b369cf7aa7eb2f73c

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
1c792684f82889ec49835a5b229d4b98

SHA1
21031dd0d33b2ce250705228fea6e1848bee9b04

SHA256
52376ff4229cf369355ba752d7f3427c35c32e3b071bf7624d8a32bbfacb2db8

SHA512
138064c369dbc4c8e76876d139d4706e05ad02e1ce6a2d5ea8565d3261eaecde4b17f749882dba6740989db020af9070951e916b2741e87b369cf7aa7eb2f73c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads