3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517

Analysis

max time kernel
172s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe
Size

72KB
MD5

103acf9d1601d141a40c3c0f1b2c84d5
SHA1

61ef1dbde26e2b8e13ece7587da2cefe33715172
SHA256

3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517
SHA512

4ffd70c52a3f5fb15e3a2ee4e229b600fe8b2611ad75473ab6e2eca0d6a5ce3701689982699890455cc096b0b40c43d1a2765a48d6601ceb41591f8f855dcf3b
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2y:ipQNwC3BEddsEqOt/hyJF+x3BEJwRru

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4264	backup.exe
4512	backup.exe
1492	backup.exe
3844	backup.exe
4856	backup.exe
4820	update.exe
3968	backup.exe
3268	backup.exe
4716	backup.exe
1472	backup.exe
332	backup.exe
1936	backup.exe
1100	backup.exe
744	System Restore.exe
2340	backup.exe
32	backup.exe
2536	backup.exe
4276	backup.exe
3916	backup.exe
1428	backup.exe
3824	backup.exe
1312	update.exe
1012	backup.exe
4400	backup.exe
2764	data.exe
4916	backup.exe
3132	update.exe
2460	backup.exe
4668	backup.exe
4752	backup.exe
4312	backup.exe
3856	backup.exe
4620	backup.exe
1808	backup.exe
2124	update.exe
4440	backup.exe
5084	backup.exe
2268	backup.exe
2232	backup.exe
1244	backup.exe
3536	backup.exe
748	backup.exe
2120	backup.exe
2224	backup.exe
2584	backup.exe
836	backup.exe
2152	backup.exe
4988	backup.exe
2620	backup.exe
3144	backup.exe
460	backup.exe
3380	backup.exe
3984	backup.exe
4624	backup.exe
3060	backup.exe
4212	backup.exe
2932	backup.exe
4796	backup.exe
4760	backup.exe
4832	backup.exe
2640	backup.exe
3268	backup.exe
736	backup.exe
2272	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\data.exe	data.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe
4264	backup.exe
4512	backup.exe
1492	backup.exe
3844	backup.exe
4856	backup.exe
4820	update.exe
3968	backup.exe
3268	backup.exe
4716	backup.exe
1472	backup.exe
332	backup.exe
1936	backup.exe
1100	backup.exe
744	System Restore.exe
2340	backup.exe
32	backup.exe
2536	backup.exe
4276	backup.exe
3916	backup.exe
1312	update.exe
1428	backup.exe
4400	backup.exe
3824	backup.exe
1012	backup.exe
2764	data.exe
4916	backup.exe
3132	update.exe
2460	backup.exe
4752	backup.exe
4668	backup.exe
3856	backup.exe
4312	backup.exe
4620	backup.exe
1808	backup.exe
2124	update.exe
4440	backup.exe
5084	backup.exe
2268	backup.exe
2232	backup.exe
1244	backup.exe
3536	backup.exe
748	backup.exe
2120	backup.exe
2224	backup.exe
836	backup.exe
2584	backup.exe
2152	backup.exe
4988	backup.exe
2620	backup.exe
460	backup.exe
3144	backup.exe
4624	backup.exe
3984	backup.exe
3380	backup.exe
3060	backup.exe
4212	backup.exe
2932	backup.exe
4796	backup.exe
4760	backup.exe
4832	backup.exe
2640	backup.exe
3268	backup.exe
2272	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4264	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	81
PID 3520 wrote to memory of 4264	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	81
PID 3520 wrote to memory of 4264	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	81
PID 3520 wrote to memory of 4512	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	82
PID 3520 wrote to memory of 4512	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	82
PID 3520 wrote to memory of 4512	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	82
PID 3520 wrote to memory of 1492	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	83
PID 3520 wrote to memory of 1492	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	83
PID 3520 wrote to memory of 1492	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	83
PID 3520 wrote to memory of 3844	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	84
PID 3520 wrote to memory of 3844	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	84
PID 3520 wrote to memory of 3844	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	84
PID 4264 wrote to memory of 4856	4264	backup.exe	85
PID 4264 wrote to memory of 4856	4264	backup.exe	85
PID 4264 wrote to memory of 4856	4264	backup.exe	85
PID 3520 wrote to memory of 4820	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	86
PID 3520 wrote to memory of 4820	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	86
PID 3520 wrote to memory of 4820	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	86
PID 4856 wrote to memory of 3968	4856	backup.exe	87
PID 4856 wrote to memory of 3968	4856	backup.exe	87
PID 4856 wrote to memory of 3968	4856	backup.exe	87
PID 3520 wrote to memory of 3268	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	88
PID 3520 wrote to memory of 3268	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	88
PID 3520 wrote to memory of 3268	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	88
PID 4856 wrote to memory of 4716	4856	backup.exe	89
PID 4856 wrote to memory of 4716	4856	backup.exe	89
PID 4856 wrote to memory of 4716	4856	backup.exe	89
PID 3520 wrote to memory of 1472	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	90
PID 3520 wrote to memory of 1472	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	90
PID 3520 wrote to memory of 1472	3520	3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe	90
PID 4856 wrote to memory of 332	4856	backup.exe	91
PID 4856 wrote to memory of 332	4856	backup.exe	91
PID 4856 wrote to memory of 332	4856	backup.exe	91
PID 332 wrote to memory of 1936	332	backup.exe	92
PID 332 wrote to memory of 1936	332	backup.exe	92
PID 332 wrote to memory of 1936	332	backup.exe	92
PID 1936 wrote to memory of 1100	1936	backup.exe	93
PID 1936 wrote to memory of 1100	1936	backup.exe	93
PID 1936 wrote to memory of 1100	1936	backup.exe	93
PID 332 wrote to memory of 744	332	backup.exe	94
PID 332 wrote to memory of 744	332	backup.exe	94
PID 332 wrote to memory of 744	332	backup.exe	94
PID 744 wrote to memory of 2340	744	System Restore.exe	95
PID 744 wrote to memory of 2340	744	System Restore.exe	95
PID 744 wrote to memory of 2340	744	System Restore.exe	95
PID 744 wrote to memory of 32	744	System Restore.exe	96
PID 744 wrote to memory of 32	744	System Restore.exe	96
PID 744 wrote to memory of 32	744	System Restore.exe	96
PID 32 wrote to memory of 2536	32	backup.exe	97
PID 32 wrote to memory of 2536	32	backup.exe	97
PID 32 wrote to memory of 2536	32	backup.exe	97
PID 32 wrote to memory of 4276	32	backup.exe	98
PID 32 wrote to memory of 4276	32	backup.exe	98
PID 32 wrote to memory of 4276	32	backup.exe	98
PID 4276 wrote to memory of 3916	4276	backup.exe	100
PID 4276 wrote to memory of 3916	4276	backup.exe	100
PID 4276 wrote to memory of 3916	4276	backup.exe	100
PID 332 wrote to memory of 3824	332	backup.exe	102
PID 332 wrote to memory of 3824	332	backup.exe	102
PID 332 wrote to memory of 3824	332	backup.exe	102
PID 4856 wrote to memory of 1428	4856	backup.exe	105
PID 4856 wrote to memory of 1428	4856	backup.exe	105
PID 4856 wrote to memory of 1428	4856	backup.exe	105
PID 32 wrote to memory of 1312	32	backup.exe	104

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe
"C:\Users\Admin\AppData\Local\Temp\3dcc94a5602af2abe7be3353f44fc6d0373288085aa7044bedf93347ff3ab517.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\3233373391\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3233373391\backup.exe C:\Users\Admin\AppData\Local\Temp\3233373391\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3968
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4716
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3904
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        8⤵
        
        PID:3412
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2536
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\update.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3380
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:736
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:2744
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        System policy modification
        
        PID:4676
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        System policy modification
        
        PID:3944
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        
        PID:4352
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:3356
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1500
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:2292
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        System policy modification
        
        PID:3144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Drops file in Program Files directory
        
        PID:3064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:4400
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4720
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        System policy modification
        
        PID:5080
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4868
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:5044
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:736
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:2204
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        System policy modification
        
        PID:2344
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4788
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1468
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:2624
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:1644
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:676
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2932
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:832
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2272
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:1564
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:3884
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:3400
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4916
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4312
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5084
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3268
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3652
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3436
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:620
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:396
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4916
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:1924
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3712
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1712
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2840
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:1740
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4400
      - C:\Program Files\Common Files\System\data.exe
        
        "C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4752
        
        C:\Program Files\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\update.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1644
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:3408
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:1980
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3744
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:3888
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:4092
        
        C:\Program Files\Common Files\System\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:3820
        
        C:\Program Files\Common Files\System\msadc\data.exe
        
        "C:\Program Files\Common Files\System\msadc\data.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1088
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2772
        
        C:\Program Files\Common Files\System\msadc\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\update.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1444
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3888
        
        C:\Program Files\Common Files\System\msadc\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\data.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:4708
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        9⤵
        
        PID:3928
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1532
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3992
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2212
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2072
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:2044
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3820
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        System policy modification
        
        PID:1820
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:4904
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3824
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3856
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:460
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4832
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1472
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        System policy modification
        
        PID:2340
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:5108
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3156
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1176
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3088
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4232
      - C:\Program Files\Internet Explorer\ja-JP\System Restore.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2256
      - C:\Program Files\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files\Internet Explorer\it-IT\System Restore.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1656
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:3600
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1108
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1796
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:5056
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:3912
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        System policy modification
        
        PID:5108
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5000
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:1924
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:4784
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        Drops file in Program Files directory
        
        PID:3052
        
        C:\Program Files\Java\jdk1.8.0_66\jre\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\update.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:2300
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:3556
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        System policy modification
        
        PID:4772
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        
        PID:4052
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        
        PID:2728
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        System policy modification
        
        PID:3100
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5064
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\data.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:1100
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1484
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        
        PID:4680
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:404
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
      - C:\Program Files\Microsoft Office\root\data.exe
        
        "C:\Program Files\Microsoft Office\root\data.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:2532
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        System policy modification
        
        PID:5064
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        System policy modification
        
        PID:2756
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:912
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:444
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1484
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        Disables RegEdit via registry modification
        
        PID:5088
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        Drops file in Program Files directory
        
        PID:4708
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4908
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:4408
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:448
      - C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:3620
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Drops file in Program Files directory
        
        PID:3948
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:1708
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:724
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\
        9⤵
        
        PID:5104
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:4400
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\update.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\update.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:3552
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Drops file in Program Files directory
        
        PID:2212
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Disables RegEdit via registry modification
        
        PID:388
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Drops file in Program Files directory
        
        PID:3588
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        System policy modification
        
        PID:1136
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1632
      - C:\Program Files\Mozilla Firefox\defaults\update.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\update.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:1488
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1428
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4620
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:4396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:3844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        System policy modification
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:4640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:4180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:4752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:204
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:1472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:3820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:4680
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:3340
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Disables RegEdit via registry modification
        
        PID:3484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:5024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        Disables RegEdit via registry modification
        
        PID:2688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:2344
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:1612
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1004
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:4880
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1432
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:3640
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:1076
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:372
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:3428
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3128
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1012
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2576
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        System policy modification
        
        PID:3784
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:4524
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:3196
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:1476
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:4524
      - C:\Program Files (x86)\Google\CrashReports\System Restore.exe
        
        "C:\Program Files (x86)\Google\CrashReports\System Restore.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:3428
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1484
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:3488
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:4360
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:2224
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4912
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        Drops file in Program Files directory
        
        PID:2796
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        
        PID:3220
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:1732
        
        C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\update.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\update.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
        8⤵
        
        PID:4136
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:1172
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:5048
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2924
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        System policy modification
        
        PID:1468
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:3444
      - C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:4784
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:3596
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1168
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4112
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:4336
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1560
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:548
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3368
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:3668
      - C:\Users\Admin\Contacts\System Restore.exe
        
        "C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\
        6⤵
        
        PID:1980
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3736
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2244
      - C:\Users\Admin\Links\data.exe
        
        C:\Users\Admin\Links\data.exe C:\Users\Admin\Links\
        6⤵
        System policy modification
        
        PID:4860
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3080
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1824
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:3988
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:688
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3816
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:2252
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1116
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4540
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1404
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:3712
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:3360
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4580
      - C:\Users\Public\Videos\data.exe
        
        C:\Users\Public\Videos\data.exe C:\Users\Public\Videos\
        6⤵
        
        PID:3944
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:4056
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1708
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:228
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:3740
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:1972
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:4924
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:3576
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2484
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:3336
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        System policy modification
        
        PID:844
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4696
    - - C:\Windows\assembly\System Restore.exe
        
        "C:\Windows\assembly\System Restore.exe" C:\Windows\assembly\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2764
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:5100
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:1972
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2908
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:3008
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3844
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4820
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3268
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1472

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
1⤵
- Modifies visibility of file extensions in Explorer
PID:4064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
1⤵
PID:3980

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3316

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3392

C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
1⤵
PID:4476

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2320
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:2304
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\data.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
    3⤵
    PID:4796
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1980
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Program Files directory
      PID:3536
    - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3064
      - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        6⤵
        
        PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2828
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
    3⤵
    PID:4516

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
838f001e50be575e60ca34c2b9fd2a4b

SHA1
1a65e17ace8c3232d8f000a70bd6c85bd68f1a4f

SHA256
4d67af82e554484d6faa05cfb4ccf3cc4c8d6be6862ca5a1e9a6200ad6a806c3

SHA512
45a8ec0f4458de749a20c058c9f876a4104f4ab725bfa733121b53e8121e9d692529d3f820294785ef7b9f7339a56cb400a5a63578778f078a6c608493183d09

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
838f001e50be575e60ca34c2b9fd2a4b

SHA1
1a65e17ace8c3232d8f000a70bd6c85bd68f1a4f

SHA256
4d67af82e554484d6faa05cfb4ccf3cc4c8d6be6862ca5a1e9a6200ad6a806c3

SHA512
45a8ec0f4458de749a20c058c9f876a4104f4ab725bfa733121b53e8121e9d692529d3f820294785ef7b9f7339a56cb400a5a63578778f078a6c608493183d09

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
ffb8c544c39c2bd16ff1e28c9e6f4823

SHA1
8b903bf8f6aa97eaa54417551627fa4f96715d54

SHA256
df54baec6c67db969890223df885d591ca351c5c713b0913bc51445b7c6d85de

SHA512
3e00062e370bd2418ca8e6ef49bfac8d3f3295290ca0b08555a3361fd5e5e7be86197974a03670f759924efb4e5576c7fed0fdc237ddf43e43277e0dea054214

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
ffb8c544c39c2bd16ff1e28c9e6f4823

SHA1
8b903bf8f6aa97eaa54417551627fa4f96715d54

SHA256
df54baec6c67db969890223df885d591ca351c5c713b0913bc51445b7c6d85de

SHA512
3e00062e370bd2418ca8e6ef49bfac8d3f3295290ca0b08555a3361fd5e5e7be86197974a03670f759924efb4e5576c7fed0fdc237ddf43e43277e0dea054214

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a70c9562590a49ec6d2d32429f5d0046

SHA1
c8bf9c67d90e453260514ce84157d1749ee23dbf

SHA256
587bfa3ab7f9b616c8a2dec09186eb85d1e5e408d1a938c1e4ce072733b3483e

SHA512
bdbea248c6474f35bfc056e839541e22a23fa7eb74a07002ded1b3a45b1b6348a8d969a8d371e7ae2024263190ea7284e2a74d0c3ae87a15e31d8c6b2aba0538

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a70c9562590a49ec6d2d32429f5d0046

SHA1
c8bf9c67d90e453260514ce84157d1749ee23dbf

SHA256
587bfa3ab7f9b616c8a2dec09186eb85d1e5e408d1a938c1e4ce072733b3483e

SHA512
bdbea248c6474f35bfc056e839541e22a23fa7eb74a07002ded1b3a45b1b6348a8d969a8d371e7ae2024263190ea7284e2a74d0c3ae87a15e31d8c6b2aba0538

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
781d1f795f6d64725f53f287c927da94

SHA1
6ff085a0c721d4c067d2d459ab132ca8a61d4202

SHA256
830643fdaaea4f9c276c740b125d036339064ddcdf9fa8189796a4e8a52e203f

SHA512
120fd95cf0065e0a2b33270828143f27910540f27074c9f91a9e2549cdbddd8cac3d9c72ccf7f6d7150d1abf07902ef79d3a77cbeca17a0e0788fa9bda8dbd24

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
781d1f795f6d64725f53f287c927da94

SHA1
6ff085a0c721d4c067d2d459ab132ca8a61d4202

SHA256
830643fdaaea4f9c276c740b125d036339064ddcdf9fa8189796a4e8a52e203f

SHA512
120fd95cf0065e0a2b33270828143f27910540f27074c9f91a9e2549cdbddd8cac3d9c72ccf7f6d7150d1abf07902ef79d3a77cbeca17a0e0788fa9bda8dbd24

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
2507f46a0c11a0d4389cd0789ddb9f4e

SHA1
80e89c3b1133451e6cd6fa34761b247d78fdfdd8

SHA256
02edf1ba92f40c554f6bd6beec0783500225b676a48caacf6ae97d30fb861bc8

SHA512
6940d161ea05c608caac8503e19653dc03baa960af9d642736dcc630819b9e1ef6cabebfbc160dd268d21d4263536f9118c7c80f582b20ec244d1d20d1f30a80

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
2507f46a0c11a0d4389cd0789ddb9f4e

SHA1
80e89c3b1133451e6cd6fa34761b247d78fdfdd8

SHA256
02edf1ba92f40c554f6bd6beec0783500225b676a48caacf6ae97d30fb861bc8

SHA512
6940d161ea05c608caac8503e19653dc03baa960af9d642736dcc630819b9e1ef6cabebfbc160dd268d21d4263536f9118c7c80f582b20ec244d1d20d1f30a80

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
e26f12262249aa48ad26e86b699fbbab

SHA1
6cb157f52efc1bc0f57cf81c22bac71a38a06bce

SHA256
fdc68c4caefe039c3f144729baf73a0e0e5202236b9c629bc8204a2349366072

SHA512
fe662a737ad953535ff51d1d5f892117a8321e9d90c3b8ef0d31d99df813b28673fda95fe0bd5807311b1e79b7b9d46d09995d936427ee7c04c1487157f0540a

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
e26f12262249aa48ad26e86b699fbbab

SHA1
6cb157f52efc1bc0f57cf81c22bac71a38a06bce

SHA256
fdc68c4caefe039c3f144729baf73a0e0e5202236b9c629bc8204a2349366072

SHA512
fe662a737ad953535ff51d1d5f892117a8321e9d90c3b8ef0d31d99df813b28673fda95fe0bd5807311b1e79b7b9d46d09995d936427ee7c04c1487157f0540a

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
781d1f795f6d64725f53f287c927da94

SHA1
6ff085a0c721d4c067d2d459ab132ca8a61d4202

SHA256
830643fdaaea4f9c276c740b125d036339064ddcdf9fa8189796a4e8a52e203f

SHA512
120fd95cf0065e0a2b33270828143f27910540f27074c9f91a9e2549cdbddd8cac3d9c72ccf7f6d7150d1abf07902ef79d3a77cbeca17a0e0788fa9bda8dbd24

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
781d1f795f6d64725f53f287c927da94

SHA1
6ff085a0c721d4c067d2d459ab132ca8a61d4202

SHA256
830643fdaaea4f9c276c740b125d036339064ddcdf9fa8189796a4e8a52e203f

SHA512
120fd95cf0065e0a2b33270828143f27910540f27074c9f91a9e2549cdbddd8cac3d9c72ccf7f6d7150d1abf07902ef79d3a77cbeca17a0e0788fa9bda8dbd24

Download Submit
C:\Program Files\Common Files\System\ado\backup.exe

Filesize
72KB

MD5
351f83fef9cd5762455930c02e80a088

SHA1
e701cb690a8e87683e079148ae374cec0a49dbce

SHA256
02dbf2028a14af06dc2db1cda1222aae7efa40a7734d548497a6dc13c31b55a4

SHA512
67eb2ce77fc2ec18e652aee3649b973b6eba9913889283ae7899d4ab28d3250764643e013877c8c89862b34369aa623482fbba9a14511280e8bcec8fe1ee37e5

Download Submit
C:\Program Files\Common Files\System\ado\backup.exe

Filesize
72KB

MD5
351f83fef9cd5762455930c02e80a088

SHA1
e701cb690a8e87683e079148ae374cec0a49dbce

SHA256
02dbf2028a14af06dc2db1cda1222aae7efa40a7734d548497a6dc13c31b55a4

SHA512
67eb2ce77fc2ec18e652aee3649b973b6eba9913889283ae7899d4ab28d3250764643e013877c8c89862b34369aa623482fbba9a14511280e8bcec8fe1ee37e5

Download Submit
C:\Program Files\Common Files\System\data.exe

Filesize
72KB

MD5
21de911ca49d9ec1367bc39ab4bdaf73

SHA1
465a1320f18b4bcbe9e27293302fda581b21252c

SHA256
99843f4cfba3e5c72af97b64932ff5a67839313885fd3dce20640c1957ce0c16

SHA512
a193c3265229c7736cb73cf83726607ad2414fba5c892e30027aaef60e16ac2ffb403d3994c9a3f882616968db3f3e13e00cae2526b9175183fcf5996e878376

Download Submit
C:\Program Files\Common Files\System\data.exe

Filesize
72KB

MD5
21de911ca49d9ec1367bc39ab4bdaf73

SHA1
465a1320f18b4bcbe9e27293302fda581b21252c

SHA256
99843f4cfba3e5c72af97b64932ff5a67839313885fd3dce20640c1957ce0c16

SHA512
a193c3265229c7736cb73cf83726607ad2414fba5c892e30027aaef60e16ac2ffb403d3994c9a3f882616968db3f3e13e00cae2526b9175183fcf5996e878376

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
342f04d28c54fe98f99236fe6fde2016

SHA1
3db03c2458cce07cb7908f3d23abf7de24f412e6

SHA256
c7195599fd4f2163f225ee50c865318bb7f9e6cfa92dbd1b3e0cef2285d3cb5b

SHA512
f770b274d24a39c142d24c8526b8f330e661193c879f4a904912e59735c8660a9db0d0359f9915818ec1654bc5b7eeb3c1bbf05bb9e9edba428c23e080a79a70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
342f04d28c54fe98f99236fe6fde2016

SHA1
3db03c2458cce07cb7908f3d23abf7de24f412e6

SHA256
c7195599fd4f2163f225ee50c865318bb7f9e6cfa92dbd1b3e0cef2285d3cb5b

SHA512
f770b274d24a39c142d24c8526b8f330e661193c879f4a904912e59735c8660a9db0d0359f9915818ec1654bc5b7eeb3c1bbf05bb9e9edba428c23e080a79a70

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
bdf9762db3e47b53d106b94a895a2ee3

SHA1
70993d8729c6c1d7a1cc16bbfe924c7494481b4a

SHA256
762fe4fcb1b41efba36d5867a00b13df0e7425bfa6f053c1b35cfcb9ca5827d6

SHA512
f16b17e58256cb0039fd0965471b74ef92c4c2f30049e7eabe4097325505fb7f91a9c5c5d61f5b1a57ea68a06f4c21d33318966dfd711e3ff98d6becb0026846

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
bdf9762db3e47b53d106b94a895a2ee3

SHA1
70993d8729c6c1d7a1cc16bbfe924c7494481b4a

SHA256
762fe4fcb1b41efba36d5867a00b13df0e7425bfa6f053c1b35cfcb9ca5827d6

SHA512
f16b17e58256cb0039fd0965471b74ef92c4c2f30049e7eabe4097325505fb7f91a9c5c5d61f5b1a57ea68a06f4c21d33318966dfd711e3ff98d6becb0026846

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe

Filesize
72KB

MD5
bdf9762db3e47b53d106b94a895a2ee3

SHA1
70993d8729c6c1d7a1cc16bbfe924c7494481b4a

SHA256
762fe4fcb1b41efba36d5867a00b13df0e7425bfa6f053c1b35cfcb9ca5827d6

SHA512
f16b17e58256cb0039fd0965471b74ef92c4c2f30049e7eabe4097325505fb7f91a9c5c5d61f5b1a57ea68a06f4c21d33318966dfd711e3ff98d6becb0026846

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe

Filesize
72KB

MD5
bdf9762db3e47b53d106b94a895a2ee3

SHA1
70993d8729c6c1d7a1cc16bbfe924c7494481b4a

SHA256
762fe4fcb1b41efba36d5867a00b13df0e7425bfa6f053c1b35cfcb9ca5827d6

SHA512
f16b17e58256cb0039fd0965471b74ef92c4c2f30049e7eabe4097325505fb7f91a9c5c5d61f5b1a57ea68a06f4c21d33318966dfd711e3ff98d6becb0026846

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe

Filesize
72KB

MD5
f804d171441474113fa1d0947e357c41

SHA1
9062e666fe9c7b5174f8b2224a81bcde654c29ec

SHA256
1bb7c70241cbc6b020cbfa9363af0cabc34b76618848050069e01298f4ef2947

SHA512
ac029eaa66a07aa506f637bd95591d5934234d3852fd47917c1c3f45ec1ea55bf4223692f148e14602dae4b287df34431bf39c51ae83b29065d4d1390b9f198e

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe

Filesize
72KB

MD5
f804d171441474113fa1d0947e357c41

SHA1
9062e666fe9c7b5174f8b2224a81bcde654c29ec

SHA256
1bb7c70241cbc6b020cbfa9363af0cabc34b76618848050069e01298f4ef2947

SHA512
ac029eaa66a07aa506f637bd95591d5934234d3852fd47917c1c3f45ec1ea55bf4223692f148e14602dae4b287df34431bf39c51ae83b29065d4d1390b9f198e

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
2507f46a0c11a0d4389cd0789ddb9f4e

SHA1
80e89c3b1133451e6cd6fa34761b247d78fdfdd8

SHA256
02edf1ba92f40c554f6bd6beec0783500225b676a48caacf6ae97d30fb861bc8

SHA512
6940d161ea05c608caac8503e19653dc03baa960af9d642736dcc630819b9e1ef6cabebfbc160dd268d21d4263536f9118c7c80f582b20ec244d1d20d1f30a80

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
2507f46a0c11a0d4389cd0789ddb9f4e

SHA1
80e89c3b1133451e6cd6fa34761b247d78fdfdd8

SHA256
02edf1ba92f40c554f6bd6beec0783500225b676a48caacf6ae97d30fb861bc8

SHA512
6940d161ea05c608caac8503e19653dc03baa960af9d642736dcc630819b9e1ef6cabebfbc160dd268d21d4263536f9118c7c80f582b20ec244d1d20d1f30a80

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
b1d7e142ca9aafb64c2b8dfd950ed689

SHA1
8cc612da3ead0164d773940f66936ec91e4b2062

SHA256
15dec8a1673badb6a6128734882387ca26a17656845136057ca55b85e25d40e7

SHA512
69b6764790aa71c3b63e6b3a96193ca45b9614117f9a13a62d0f0e4c2152302555adde858d6b14b6d8d2c4de85364c6655d1cd810272d906b3fc83c1090c16ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
b1d7e142ca9aafb64c2b8dfd950ed689

SHA1
8cc612da3ead0164d773940f66936ec91e4b2062

SHA256
15dec8a1673badb6a6128734882387ca26a17656845136057ca55b85e25d40e7

SHA512
69b6764790aa71c3b63e6b3a96193ca45b9614117f9a13a62d0f0e4c2152302555adde858d6b14b6d8d2c4de85364c6655d1cd810272d906b3fc83c1090c16ab

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
573cb2ce9b98c98913da4101ce5584d5

SHA1
56fcdb5a2638fd6fa7031481385b11fefb54c5b9

SHA256
6455d0afd2fe56c7a4c45fbfaf5ef5f7218c5768c05cb0230dee88211dadc3b0

SHA512
c895a7703cd125c3e8e7845d4f21a2902450cf95d9b5967d8b74eab1ffe37e820db7680892d80aeedc3f619d97168e646bddc4d76329e4cf297c45cfd5e8a82f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
573cb2ce9b98c98913da4101ce5584d5

SHA1
56fcdb5a2638fd6fa7031481385b11fefb54c5b9

SHA256
6455d0afd2fe56c7a4c45fbfaf5ef5f7218c5768c05cb0230dee88211dadc3b0

SHA512
c895a7703cd125c3e8e7845d4f21a2902450cf95d9b5967d8b74eab1ffe37e820db7680892d80aeedc3f619d97168e646bddc4d76329e4cf297c45cfd5e8a82f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
59fff6be6b71e76bbeaadd796bbc1a2c

SHA1
617b80b9ca26fc8c8e2daa8c36413080ab56034e

SHA256
f53196198abb9c11fd5b6a70ad2140d5eb5edd558c671091f6f25b2389d5ead8

SHA512
d2e924a968a8938315d2de0e18156f91276c19e6f891c405ac022d5a5fb540d1d12abf9296dd2581d1348a6b30a0c026cf767f0943308d33fed7ca65a36ea3c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
59fff6be6b71e76bbeaadd796bbc1a2c

SHA1
617b80b9ca26fc8c8e2daa8c36413080ab56034e

SHA256
f53196198abb9c11fd5b6a70ad2140d5eb5edd558c671091f6f25b2389d5ead8

SHA512
d2e924a968a8938315d2de0e18156f91276c19e6f891c405ac022d5a5fb540d1d12abf9296dd2581d1348a6b30a0c026cf767f0943308d33fed7ca65a36ea3c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\update.exe

Filesize
72KB

MD5
a54b90e5a4091c9fa688bd70415c3951

SHA1
d8402e019c2eabda81d8dcab58aa3a54094a8bfe

SHA256
656aa03d040952b119557e1eda2a6e9c4587264ae28abeb2f06866f065d72db9

SHA512
25d1dcb2189e333fdd0577521c8de5f17fb76eb580f6ec905439d14f36c6af608067c2737fb863db06d0559c58880619a7d50d8d309d59ac78282322a2eaabd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\update.exe

Filesize
72KB

MD5
a54b90e5a4091c9fa688bd70415c3951

SHA1
d8402e019c2eabda81d8dcab58aa3a54094a8bfe

SHA256
656aa03d040952b119557e1eda2a6e9c4587264ae28abeb2f06866f065d72db9

SHA512
25d1dcb2189e333fdd0577521c8de5f17fb76eb580f6ec905439d14f36c6af608067c2737fb863db06d0559c58880619a7d50d8d309d59ac78282322a2eaabd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
a3f0bae5495b93380a7bc7534a868b6f

SHA1
75a394fbfc6e3833773bb2bfd80150444787f3ba

SHA256
6dca11a3ff2009c6bd5b86decd8cfdecf153a164359c547928cbd377ae07e2be

SHA512
812ff8b8b761204522f3557def11a984840e7990f2cbc7cf988a7ffe0cf355df45c42f385426c07addc14cf2b4847a4abca898d9bb46e615a400e09d8ad5a47a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
a3f0bae5495b93380a7bc7534a868b6f

SHA1
75a394fbfc6e3833773bb2bfd80150444787f3ba

SHA256
6dca11a3ff2009c6bd5b86decd8cfdecf153a164359c547928cbd377ae07e2be

SHA512
812ff8b8b761204522f3557def11a984840e7990f2cbc7cf988a7ffe0cf355df45c42f385426c07addc14cf2b4847a4abca898d9bb46e615a400e09d8ad5a47a

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
125670585ffe605e884038eb54e58133

SHA1
3762fe55f53c9263a94fd3d15c314990ee0924e5

SHA256
5842ebdb94a764d6906643f6db9499a47c4d51491eb522e888a287dee2d9f920

SHA512
21b8f0c6a67079d5785c3c686abd5a498efff8ceaaf08dedb80779fe408ceda1b7f6bf632a1230d36fb3205c2e865507c0b788f0fbbe731cf624f0040c5a327b

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
125670585ffe605e884038eb54e58133

SHA1
3762fe55f53c9263a94fd3d15c314990ee0924e5

SHA256
5842ebdb94a764d6906643f6db9499a47c4d51491eb522e888a287dee2d9f920

SHA512
21b8f0c6a67079d5785c3c686abd5a498efff8ceaaf08dedb80779fe408ceda1b7f6bf632a1230d36fb3205c2e865507c0b788f0fbbe731cf624f0040c5a327b

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
c978acd5b2bf371476dda41c9b278613

SHA1
a3f8a6aab25d9ace9ffd79f2773bcf9f8aa3f5f5

SHA256
20be5f2c927cbfa8934b4bc8741224dcf192bd4c09791abedafb6345b1f9cb4f

SHA512
621bf803c436e7e42ab276e133fc1cc1643b400eb55983c58f1e633f3a46707f0b5a7dbb809a87a63f7f8e9ef94e984db5190cdb6ae462312b8090757d59c9f6

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
c978acd5b2bf371476dda41c9b278613

SHA1
a3f8a6aab25d9ace9ffd79f2773bcf9f8aa3f5f5

SHA256
20be5f2c927cbfa8934b4bc8741224dcf192bd4c09791abedafb6345b1f9cb4f

SHA512
621bf803c436e7e42ab276e133fc1cc1643b400eb55983c58f1e633f3a46707f0b5a7dbb809a87a63f7f8e9ef94e984db5190cdb6ae462312b8090757d59c9f6

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
2d7ec82b1a7a39eb8638dbf9881fb621

SHA1
4efb3c537d78273eb527a7e97dab52341de7a872

SHA256
aaad501bbf8076f324a3d6ceda1fd3835e41fbe6d798e640b02b98f93f6c8cbd

SHA512
be8351c10f9fcfd302cf01d4edae34eafed0a9894589a68491d25c0f3cc5bf3195352c87a909baff1bc793667996f387f689520777779ec82329c887d38d22b7

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
2d7ec82b1a7a39eb8638dbf9881fb621

SHA1
4efb3c537d78273eb527a7e97dab52341de7a872

SHA256
aaad501bbf8076f324a3d6ceda1fd3835e41fbe6d798e640b02b98f93f6c8cbd

SHA512
be8351c10f9fcfd302cf01d4edae34eafed0a9894589a68491d25c0f3cc5bf3195352c87a909baff1bc793667996f387f689520777779ec82329c887d38d22b7

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
838f001e50be575e60ca34c2b9fd2a4b

SHA1
1a65e17ace8c3232d8f000a70bd6c85bd68f1a4f

SHA256
4d67af82e554484d6faa05cfb4ccf3cc4c8d6be6862ca5a1e9a6200ad6a806c3

SHA512
45a8ec0f4458de749a20c058c9f876a4104f4ab725bfa733121b53e8121e9d692529d3f820294785ef7b9f7339a56cb400a5a63578778f078a6c608493183d09

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
838f001e50be575e60ca34c2b9fd2a4b

SHA1
1a65e17ace8c3232d8f000a70bd6c85bd68f1a4f

SHA256
4d67af82e554484d6faa05cfb4ccf3cc4c8d6be6862ca5a1e9a6200ad6a806c3

SHA512
45a8ec0f4458de749a20c058c9f876a4104f4ab725bfa733121b53e8121e9d692529d3f820294785ef7b9f7339a56cb400a5a63578778f078a6c608493183d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\3233373391\backup.exe

Filesize
72KB

MD5
cabfe66f8567a7d022f029776805eab2

SHA1
6b37b4c3581b408120b789375735f513f237fce2

SHA256
2862988727a42b745ec9b38d399160a0b34c6c02cf801781f7558aebc474f6c1

SHA512
9743ed0a926e9b9c6f9331f4d80add75de67333f91a54243b0e2b89030fd6984754eb2e25cb8c44288e14f52cdfac13f07b79f09dd4bfc6591d7e9a59cb1fbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3233373391\backup.exe

Filesize
72KB

MD5
cabfe66f8567a7d022f029776805eab2

SHA1
6b37b4c3581b408120b789375735f513f237fce2

SHA256
2862988727a42b745ec9b38d399160a0b34c6c02cf801781f7558aebc474f6c1

SHA512
9743ed0a926e9b9c6f9331f4d80add75de67333f91a54243b0e2b89030fd6984754eb2e25cb8c44288e14f52cdfac13f07b79f09dd4bfc6591d7e9a59cb1fbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
fdb9675eaec4083e97d3bd231461a6c6

SHA1
b5a3519c479d2d101662ceda45c41270ff50c1a2

SHA256
85ddbd9f044e4a58555611f139176fc1157076fe91233d30f8ebb7f5bfcf723c

SHA512
f6e84a8c5aa1b2947640aa0cacd92f458aafde512d78109f4ad36feb03bea4ca1855f7f5bc78efae43d2151bd8d3aa7c19a1a40332f2b377f4504766c3d0d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
fdb9675eaec4083e97d3bd231461a6c6

SHA1
b5a3519c479d2d101662ceda45c41270ff50c1a2

SHA256
85ddbd9f044e4a58555611f139176fc1157076fe91233d30f8ebb7f5bfcf723c

SHA512
f6e84a8c5aa1b2947640aa0cacd92f458aafde512d78109f4ad36feb03bea4ca1855f7f5bc78efae43d2151bd8d3aa7c19a1a40332f2b377f4504766c3d0d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
133aa228c51678129ea2a8dbe603e5f3

SHA1
381bdd070a2446f6a21662fb2ca3124def953c91

SHA256
e590c4425a164b9012cf420e91042810326c594c50e202e491f0d639a4d2d51f

SHA512
ee8a81deee75dd6881c4b5426096a040afbfbe59229be423f14c2ebe6253ec9f3036e3bbebeb39e114dfa75f9d2164613a099c997f20a94a4ddec1df4bef822e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\update.exe

Filesize
72KB

MD5
133aa228c51678129ea2a8dbe603e5f3

SHA1
381bdd070a2446f6a21662fb2ca3124def953c91

SHA256
e590c4425a164b9012cf420e91042810326c594c50e202e491f0d639a4d2d51f

SHA512
ee8a81deee75dd6881c4b5426096a040afbfbe59229be423f14c2ebe6253ec9f3036e3bbebeb39e114dfa75f9d2164613a099c997f20a94a4ddec1df4bef822e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d0a9aa81529386a69bd815bd2a13d766

SHA1
88587f64175bda645d0473c71ca56dac19baf3ba

SHA256
b976b39e4b20d3499171ecaacf578d06bfb73ece1397aadadd73b5dec4a7340e

SHA512
9591a88a8006607ac878423b57bcde9f596034a0374375f151d7c2e579476ea8a2608f81d8807be6bdfe849e13e17386e554ec90088e0e856978d16bcd0385c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d0a9aa81529386a69bd815bd2a13d766

SHA1
88587f64175bda645d0473c71ca56dac19baf3ba

SHA256
b976b39e4b20d3499171ecaacf578d06bfb73ece1397aadadd73b5dec4a7340e

SHA512
9591a88a8006607ac878423b57bcde9f596034a0374375f151d7c2e579476ea8a2608f81d8807be6bdfe849e13e17386e554ec90088e0e856978d16bcd0385c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
fdb9675eaec4083e97d3bd231461a6c6

SHA1
b5a3519c479d2d101662ceda45c41270ff50c1a2

SHA256
85ddbd9f044e4a58555611f139176fc1157076fe91233d30f8ebb7f5bfcf723c

SHA512
f6e84a8c5aa1b2947640aa0cacd92f458aafde512d78109f4ad36feb03bea4ca1855f7f5bc78efae43d2151bd8d3aa7c19a1a40332f2b377f4504766c3d0d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
fdb9675eaec4083e97d3bd231461a6c6

SHA1
b5a3519c479d2d101662ceda45c41270ff50c1a2

SHA256
85ddbd9f044e4a58555611f139176fc1157076fe91233d30f8ebb7f5bfcf723c

SHA512
f6e84a8c5aa1b2947640aa0cacd92f458aafde512d78109f4ad36feb03bea4ca1855f7f5bc78efae43d2151bd8d3aa7c19a1a40332f2b377f4504766c3d0d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
fdb9675eaec4083e97d3bd231461a6c6

SHA1
b5a3519c479d2d101662ceda45c41270ff50c1a2

SHA256
85ddbd9f044e4a58555611f139176fc1157076fe91233d30f8ebb7f5bfcf723c

SHA512
f6e84a8c5aa1b2947640aa0cacd92f458aafde512d78109f4ad36feb03bea4ca1855f7f5bc78efae43d2151bd8d3aa7c19a1a40332f2b377f4504766c3d0d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
fdb9675eaec4083e97d3bd231461a6c6

SHA1
b5a3519c479d2d101662ceda45c41270ff50c1a2

SHA256
85ddbd9f044e4a58555611f139176fc1157076fe91233d30f8ebb7f5bfcf723c

SHA512
f6e84a8c5aa1b2947640aa0cacd92f458aafde512d78109f4ad36feb03bea4ca1855f7f5bc78efae43d2151bd8d3aa7c19a1a40332f2b377f4504766c3d0d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d0a9aa81529386a69bd815bd2a13d766

SHA1
88587f64175bda645d0473c71ca56dac19baf3ba

SHA256
b976b39e4b20d3499171ecaacf578d06bfb73ece1397aadadd73b5dec4a7340e

SHA512
9591a88a8006607ac878423b57bcde9f596034a0374375f151d7c2e579476ea8a2608f81d8807be6bdfe849e13e17386e554ec90088e0e856978d16bcd0385c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
d0a9aa81529386a69bd815bd2a13d766

SHA1
88587f64175bda645d0473c71ca56dac19baf3ba

SHA256
b976b39e4b20d3499171ecaacf578d06bfb73ece1397aadadd73b5dec4a7340e

SHA512
9591a88a8006607ac878423b57bcde9f596034a0374375f151d7c2e579476ea8a2608f81d8807be6bdfe849e13e17386e554ec90088e0e856978d16bcd0385c3

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a864cc12629bcdca27a017f4f01bc300

SHA1
8389825965c2a27d2c68a181ed61cc2fdd47ea76

SHA256
c0c0079e694e450d2f7bb16abf0589f940d0ba52cc57f37afff03021b2516e54

SHA512
5dfadc2197db764aea2c9ddeec59a42762ba80f90e8b4d3c1d2ec21c79ab4cec07d5c452e53afbc0e68d060989487f661d2ddbef0c8d19ad206e6613c6951221

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a864cc12629bcdca27a017f4f01bc300

SHA1
8389825965c2a27d2c68a181ed61cc2fdd47ea76

SHA256
c0c0079e694e450d2f7bb16abf0589f940d0ba52cc57f37afff03021b2516e54

SHA512
5dfadc2197db764aea2c9ddeec59a42762ba80f90e8b4d3c1d2ec21c79ab4cec07d5c452e53afbc0e68d060989487f661d2ddbef0c8d19ad206e6613c6951221

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
1333f695ba462caf6a89aaa5464d2ad7

SHA1
89e614416ba470ed5acd43a20b23437a332095e1

SHA256
7d0df79d49d9b97ee84daa417294da13aba5ba5c726f0a362f1cd6ba8afff463

SHA512
77d4c7fb070a3353bca1ddbb710cafeaf15a416868567ad6b272a2a1272fedc2bbe9d83950187d1e9371b3dfa1449760b6b348af73a672c34a1c05284e496e55

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
1333f695ba462caf6a89aaa5464d2ad7

SHA1
89e614416ba470ed5acd43a20b23437a332095e1

SHA256
7d0df79d49d9b97ee84daa417294da13aba5ba5c726f0a362f1cd6ba8afff463

SHA512
77d4c7fb070a3353bca1ddbb710cafeaf15a416868567ad6b272a2a1272fedc2bbe9d83950187d1e9371b3dfa1449760b6b348af73a672c34a1c05284e496e55

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads