e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9

Analysis

max time kernel
163s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
Size

72KB
MD5

963a71ab6a20f55b01e817ec7aa82845
SHA1

3c4126ce08d7e204553c49a9c6d398fcfed28ee5
SHA256

e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9
SHA512

475f2708b5adcd7c1899708a3641c9a91375de36f40c0cdeba936879beb7eb2fa0541d0744286bf037c284e50f4bc9dba0f1f09347917e7ad2da271cd02538fd
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGa:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrH

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4796	backup.exe
4144	backup.exe
4440	backup.exe
2008	backup.exe
4376	backup.exe
4488	backup.exe
4452	backup.exe
4112	backup.exe
1908	backup.exe
1816	backup.exe
3912	data.exe
2884	backup.exe
1384	backup.exe
3160	backup.exe
1876	backup.exe
2312	backup.exe
1220	data.exe
3888	backup.exe
4504	backup.exe
3876	update.exe
4088	backup.exe
1796	backup.exe
3856	data.exe
2864	backup.exe
3944	backup.exe
3604	backup.exe
3636	backup.exe
440	backup.exe
3620	backup.exe
1272	backup.exe
4668	backup.exe
2616	backup.exe
4372	backup.exe
3784	backup.exe
4968	backup.exe
4332	backup.exe
4220	backup.exe
1824	backup.exe
4684	backup.exe
3012	backup.exe
2456	backup.exe
2228	backup.exe
4804	update.exe
4020	backup.exe
3340	backup.exe
1372	backup.exe
4048	backup.exe
3652	backup.exe
4488	backup.exe
4984	backup.exe
2000	backup.exe
5100	backup.exe
3844	backup.exe
208	update.exe
400	backup.exe
4416	backup.exe
3896	backup.exe
3152	backup.exe
4412	backup.exe
3744	backup.exe
404	backup.exe
2544	backup.exe
2368	backup.exe
4388	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	update.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
4796	backup.exe
4144	backup.exe
4440	backup.exe
2008	backup.exe
4376	backup.exe
4488	backup.exe
4112	backup.exe
4452	backup.exe
1908	backup.exe
1816	backup.exe
3912	data.exe
2884	backup.exe
1384	backup.exe
3160	backup.exe
1876	backup.exe
2312	backup.exe
1220	data.exe
3888	backup.exe
4504	backup.exe
3876	update.exe
4088	backup.exe
1796	backup.exe
3856	data.exe
2864	backup.exe
3944	backup.exe
3604	backup.exe
3636	backup.exe
440	backup.exe
3620	backup.exe
1272	backup.exe
4668	backup.exe
2616	backup.exe
4372	backup.exe
3784	backup.exe
4968	backup.exe
4332	backup.exe
4220	backup.exe
1824	backup.exe
4684	backup.exe
3012	backup.exe
2456	backup.exe
2228	backup.exe
4804	update.exe
4020	backup.exe
3340	backup.exe
1372	backup.exe
4048	backup.exe
3652	backup.exe
4488	backup.exe
4984	backup.exe
2000	backup.exe
5100	backup.exe
3844	backup.exe
208	update.exe
400	backup.exe
4416	backup.exe
3896	backup.exe
3152	backup.exe
4412	backup.exe
3744	backup.exe
404	backup.exe
2544	backup.exe
2368	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4796	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	82
PID 4888 wrote to memory of 4796	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	82
PID 4888 wrote to memory of 4796	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	82
PID 4888 wrote to memory of 4144	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	83
PID 4888 wrote to memory of 4144	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	83
PID 4888 wrote to memory of 4144	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	83
PID 4888 wrote to memory of 4440	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	84
PID 4888 wrote to memory of 4440	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	84
PID 4888 wrote to memory of 4440	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	84
PID 4888 wrote to memory of 2008	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	85
PID 4888 wrote to memory of 2008	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	85
PID 4888 wrote to memory of 2008	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	85
PID 4888 wrote to memory of 4376	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	86
PID 4888 wrote to memory of 4376	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	86
PID 4888 wrote to memory of 4376	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	86
PID 4888 wrote to memory of 4488	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	87
PID 4888 wrote to memory of 4488	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	87
PID 4888 wrote to memory of 4488	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	87
PID 4796 wrote to memory of 4452	4796	backup.exe	88
PID 4796 wrote to memory of 4452	4796	backup.exe	88
PID 4796 wrote to memory of 4452	4796	backup.exe	88
PID 4888 wrote to memory of 4112	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	89
PID 4888 wrote to memory of 4112	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	89
PID 4888 wrote to memory of 4112	4888	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe	89
PID 4452 wrote to memory of 1908	4452	backup.exe	91
PID 4452 wrote to memory of 1908	4452	backup.exe	91
PID 4452 wrote to memory of 1908	4452	backup.exe	91
PID 4452 wrote to memory of 1816	4452	backup.exe	93
PID 4452 wrote to memory of 1816	4452	backup.exe	93
PID 4452 wrote to memory of 1816	4452	backup.exe	93
PID 4452 wrote to memory of 3912	4452	backup.exe	94
PID 4452 wrote to memory of 3912	4452	backup.exe	94
PID 4452 wrote to memory of 3912	4452	backup.exe	94
PID 3912 wrote to memory of 2884	3912	data.exe	95
PID 3912 wrote to memory of 2884	3912	data.exe	95
PID 3912 wrote to memory of 2884	3912	data.exe	95
PID 2884 wrote to memory of 1384	2884	backup.exe	96
PID 2884 wrote to memory of 1384	2884	backup.exe	96
PID 2884 wrote to memory of 1384	2884	backup.exe	96
PID 3912 wrote to memory of 3160	3912	data.exe	97
PID 3912 wrote to memory of 3160	3912	data.exe	97
PID 3912 wrote to memory of 3160	3912	data.exe	97
PID 3160 wrote to memory of 1876	3160	backup.exe	98
PID 3160 wrote to memory of 1876	3160	backup.exe	98
PID 3160 wrote to memory of 1876	3160	backup.exe	98
PID 3160 wrote to memory of 2312	3160	backup.exe	99
PID 3160 wrote to memory of 2312	3160	backup.exe	99
PID 3160 wrote to memory of 2312	3160	backup.exe	99
PID 2312 wrote to memory of 1220	2312	backup.exe	100
PID 2312 wrote to memory of 1220	2312	backup.exe	100
PID 2312 wrote to memory of 1220	2312	backup.exe	100
PID 2312 wrote to memory of 3888	2312	backup.exe	101
PID 2312 wrote to memory of 3888	2312	backup.exe	101
PID 2312 wrote to memory of 3888	2312	backup.exe	101
PID 3888 wrote to memory of 4504	3888	backup.exe	102
PID 3888 wrote to memory of 4504	3888	backup.exe	102
PID 3888 wrote to memory of 4504	3888	backup.exe	102
PID 3888 wrote to memory of 3876	3888	backup.exe	103
PID 3888 wrote to memory of 3876	3888	backup.exe	103
PID 3888 wrote to memory of 3876	3888	backup.exe	103
PID 3888 wrote to memory of 4088	3888	backup.exe	104
PID 3888 wrote to memory of 4088	3888	backup.exe	104
PID 3888 wrote to memory of 4088	3888	backup.exe	104
PID 3888 wrote to memory of 1796	3888	backup.exe	105

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe
"C:\Users\Admin\AppData\Local\Temp\e56ab86566f88d292bcdd79e5799f9f2ab7c9d2c5ef79b7667ed294be82301d9.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4888
- C:\Users\Admin\AppData\Local\Temp\400574492\backup.exe
  C:\Users\Admin\AppData\Local\Temp\400574492\backup.exe C:\Users\Admin\AppData\Local\Temp\400574492\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1908
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1816
  - - C:\Program Files\data.exe
      "C:\Program Files\data.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1384
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3160
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2312
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1220
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4504
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\update.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3876
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3856
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3944
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3604
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:440
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1272
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3784
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4220
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4684
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4804
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4048
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3652
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4488
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5100
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3844
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\update.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:208
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4416
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3896
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3152
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3744
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:2692
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:4196
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\data.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        System policy modification
        
        PID:4460
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:1892
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4016
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:3884
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4256
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:2200
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:1368
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:1020
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:3720
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2864
        
        C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        8⤵
        Drops file in Windows directory
        System policy modification
        
        PID:2848
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        9⤵
        
        PID:4152
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        System policy modification
        
        PID:3964
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:1228
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:3960
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:5008
        
        C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:1560
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:3824
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        System policy modification
        
        PID:1576
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:396
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:1928
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Drops file in Program Files directory
        
        PID:2252
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:3624
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2192
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4480
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:384
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:4136
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4820
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:3836
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4364
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5100
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4416
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:3148
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2392
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4840
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1780
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3856
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3972
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        System policy modification
        
        PID:4592
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:768
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3176
        
        C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4788
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:4984
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:480
        
        C:\Program Files\Common Files\System\Ole DB\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\data.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1808
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1160
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3140
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:5076
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\data.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2904
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3644
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1944
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:3012
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4860
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        System policy modification
        
        PID:3340
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2140
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:3412
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        System policy modification
        
        PID:4392
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        System policy modification
        
        PID:4944
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        System policy modification
        
        PID:4308
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:2424
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2720
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1668
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:2280
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1888
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:3340
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1444
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        System policy modification
        
        PID:4364
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4572
      - C:\Program Files\Internet Explorer\ja-JP\System Restore.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4544
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:3188
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:3948
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        
        PID:2192
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:1268
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        System policy modification
        
        PID:4248
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:1152
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:2540
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        System policy modification
        
        PID:2604
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:3736
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        Drops file in Program Files directory
        
        PID:2188
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:2408
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:384
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        System policy modification
        
        PID:1556
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        System policy modification
        
        PID:4988
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        
        PID:1548
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:3260
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:4100
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:3348
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:2788
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:1796
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:1384
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:2424
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:3456
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:4356
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        System policy modification
        
        PID:4648
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:5096
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:4448
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4844
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        System policy modification
        
        PID:4492
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:2260
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:4724
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:4220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:3896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1908
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:2984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:3576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:3512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:4892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:3688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:4908
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        System policy modification
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:4272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:4092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:2720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Drops file in Program Files directory
        
        PID:3792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        System policy modification
        
        PID:2424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:3976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:3268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:4732
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:2380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:2200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:4644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:8
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        System policy modification
        
        PID:100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        System policy modification
        
        PID:4608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4452
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:2096
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:3744
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Drops file in Program Files directory
        
        PID:4784
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:1724
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1380
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        System policy modification
        
        PID:4788
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1376
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4256
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:3404
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:3324
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:2676
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        System policy modification
        
        PID:3828
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:4760
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:1652
      - C:\Program Files (x86)\Common Files\Services\data.exe
        
        "C:\Program Files (x86)\Common Files\Services\data.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:4816
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:3592
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1648
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:3220
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:3624
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:3164
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        System policy modification
        
        PID:912
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3064
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:2848
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:208
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:4572
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:3932
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:4956
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:2824
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:1636
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:3232
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:5000
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1384
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:692
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:4672
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1468
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1884
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3964
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:440
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        System policy modification
        
        PID:4684
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:1056
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1264
        
        C:\Users\Admin\Pictures\Camera Roll\System Restore.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\System Restore.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:1988
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:3164
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1644
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2392
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3640
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2692
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:3988
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4988
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1576
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        System policy modification
        
        PID:4900
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:4976
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        System policy modification
        
        PID:4676
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:2864
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:3232
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:4996
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:3580
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:1576
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2168
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4144
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
91ee6cd86926ecf4b6c1c4d65ccabe97

SHA1
77860ec379cb795133415db227c5643ab1d43050

SHA256
7d859383dd1416abfba7d89f3acab1e3224fc8daad3a238e842e657f33227a94

SHA512
2cb3780c1a9ad003ed1435f523dc42f9eac88371215a89811310981a0eb2b63293ebefe42ac1f4cd72fc266298a604ecc174720c96f5a37a1c5af75350c4abbb

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
91ee6cd86926ecf4b6c1c4d65ccabe97

SHA1
77860ec379cb795133415db227c5643ab1d43050

SHA256
7d859383dd1416abfba7d89f3acab1e3224fc8daad3a238e842e657f33227a94

SHA512
2cb3780c1a9ad003ed1435f523dc42f9eac88371215a89811310981a0eb2b63293ebefe42ac1f4cd72fc266298a604ecc174720c96f5a37a1c5af75350c4abbb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
84805dc66f0ab33fb01ca90a33922f52

SHA1
cfb6adca5fe84c65226c9ac7db5003b202ccc724

SHA256
d2b401b355b3fb86c12dca6c74c31e919d83c8d7b49e21a90d5eefff230dcc6d

SHA512
cfdac92387727baaaa1bf2796a9bf0f5ea82e6f20888b782828ae1a44acdd6eb9aa72227ad7009761ec72d2054c76e3fe8bb3a046227ed1acf40d464cb71c50d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
84805dc66f0ab33fb01ca90a33922f52

SHA1
cfb6adca5fe84c65226c9ac7db5003b202ccc724

SHA256
d2b401b355b3fb86c12dca6c74c31e919d83c8d7b49e21a90d5eefff230dcc6d

SHA512
cfdac92387727baaaa1bf2796a9bf0f5ea82e6f20888b782828ae1a44acdd6eb9aa72227ad7009761ec72d2054c76e3fe8bb3a046227ed1acf40d464cb71c50d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
68b603283afa0cef6bf35b17b0896efd

SHA1
08e319fa5523073e0f29590c8ee877cdd1ba82dd

SHA256
e69a1eaf6eb47163df9b1f7195baefc9119b1d50fc2b0e57b92af909be8cd1b5

SHA512
b4d8737050df7e88be1b117df72d1976e99ea9b2a2ddbcf55b81f44995d36940f6d022dc2fcd27cd7db307d2e921e6ce2eb39202708435ad47286a7645be1615

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
68b603283afa0cef6bf35b17b0896efd

SHA1
08e319fa5523073e0f29590c8ee877cdd1ba82dd

SHA256
e69a1eaf6eb47163df9b1f7195baefc9119b1d50fc2b0e57b92af909be8cd1b5

SHA512
b4d8737050df7e88be1b117df72d1976e99ea9b2a2ddbcf55b81f44995d36940f6d022dc2fcd27cd7db307d2e921e6ce2eb39202708435ad47286a7645be1615

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
442ba7230cae29579a7f1dd64d6a0523

SHA1
830cdc6cc3f7ce96c3f67111fc415be9d5f15962

SHA256
6583a569f5942e4ce53656f9a76c332fe52e1cb4a9d90047119d828f6bd7c4bf

SHA512
b2608f92368d33981c11bf456079add88b92f4e2e1b6b509c0a446d64487e1e7da7656cf4f229ea431a48e34e346b8c2220e2f597008f0a0aca09a4a4c06ccbe

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
442ba7230cae29579a7f1dd64d6a0523

SHA1
830cdc6cc3f7ce96c3f67111fc415be9d5f15962

SHA256
6583a569f5942e4ce53656f9a76c332fe52e1cb4a9d90047119d828f6bd7c4bf

SHA512
b2608f92368d33981c11bf456079add88b92f4e2e1b6b509c0a446d64487e1e7da7656cf4f229ea431a48e34e346b8c2220e2f597008f0a0aca09a4a4c06ccbe

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
13302c4a662570565cb4ad444b505c53

SHA1
c56a2bd712bf8478df43064013ac8983752158d9

SHA256
c6757927153eb57204e18509e87cefe4d1eff43f81a1584387c0b29a2de4674f

SHA512
0223f1b0b7f79f271709da503e3eaf3f6820db55fd5287577e7a19ec5430928a69cdce3767673da96ae3780759bdfddbea5728f639c5c0598d066361c4ee37b5

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
13302c4a662570565cb4ad444b505c53

SHA1
c56a2bd712bf8478df43064013ac8983752158d9

SHA256
c6757927153eb57204e18509e87cefe4d1eff43f81a1584387c0b29a2de4674f

SHA512
0223f1b0b7f79f271709da503e3eaf3f6820db55fd5287577e7a19ec5430928a69cdce3767673da96ae3780759bdfddbea5728f639c5c0598d066361c4ee37b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe

Filesize
72KB

MD5
41ce36484b181525afc4cb5768f9e9e6

SHA1
16284984456a35f0cc9e9d89f6e13ad67fa17b48

SHA256
094a195a9a0f892d8fec1e17aea0da2c39cedc767d037737d939302c9813e770

SHA512
d46d5ade51521192e11bf2a74c20c2add9ec4da283006804a22811c3ae289842b5fe7940a79444e7a40b9160dfdcf1435b225e5c110972dd0dd206a1a54dccb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\data.exe

Filesize
72KB

MD5
41ce36484b181525afc4cb5768f9e9e6

SHA1
16284984456a35f0cc9e9d89f6e13ad67fa17b48

SHA256
094a195a9a0f892d8fec1e17aea0da2c39cedc767d037737d939302c9813e770

SHA512
d46d5ade51521192e11bf2a74c20c2add9ec4da283006804a22811c3ae289842b5fe7940a79444e7a40b9160dfdcf1435b225e5c110972dd0dd206a1a54dccb5

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
442ba7230cae29579a7f1dd64d6a0523

SHA1
830cdc6cc3f7ce96c3f67111fc415be9d5f15962

SHA256
6583a569f5942e4ce53656f9a76c332fe52e1cb4a9d90047119d828f6bd7c4bf

SHA512
b2608f92368d33981c11bf456079add88b92f4e2e1b6b509c0a446d64487e1e7da7656cf4f229ea431a48e34e346b8c2220e2f597008f0a0aca09a4a4c06ccbe

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
442ba7230cae29579a7f1dd64d6a0523

SHA1
830cdc6cc3f7ce96c3f67111fc415be9d5f15962

SHA256
6583a569f5942e4ce53656f9a76c332fe52e1cb4a9d90047119d828f6bd7c4bf

SHA512
b2608f92368d33981c11bf456079add88b92f4e2e1b6b509c0a446d64487e1e7da7656cf4f229ea431a48e34e346b8c2220e2f597008f0a0aca09a4a4c06ccbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
41ce36484b181525afc4cb5768f9e9e6

SHA1
16284984456a35f0cc9e9d89f6e13ad67fa17b48

SHA256
094a195a9a0f892d8fec1e17aea0da2c39cedc767d037737d939302c9813e770

SHA512
d46d5ade51521192e11bf2a74c20c2add9ec4da283006804a22811c3ae289842b5fe7940a79444e7a40b9160dfdcf1435b225e5c110972dd0dd206a1a54dccb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
41ce36484b181525afc4cb5768f9e9e6

SHA1
16284984456a35f0cc9e9d89f6e13ad67fa17b48

SHA256
094a195a9a0f892d8fec1e17aea0da2c39cedc767d037737d939302c9813e770

SHA512
d46d5ade51521192e11bf2a74c20c2add9ec4da283006804a22811c3ae289842b5fe7940a79444e7a40b9160dfdcf1435b225e5c110972dd0dd206a1a54dccb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\update.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\update.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\data.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
db93ba7b719907ba8f410b80b2649112

SHA1
788a6c51da96db64bf701e3cfb534b2f44cddf7b

SHA256
18611a8fa8b34cf837e0c85293faa68f0b1bd16efa9475174651a39f7120d2c4

SHA512
1821b2650809017ff1f48caa90c5849cea0069940d7dd3563421d04c66c23f9697a653f6961d9bedcf6d9d816e7adb47465b054ef5acc75be4b837f0a72c36b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
53f9ea18af668977600a54bf6b46b19e

SHA1
b3227aa7dc5136fa55f518019b2b5a3dfbb69dfa

SHA256
e2c934e37d6bbff56859814d8a63c8c76c090e7646bad54ac64c962d869f074b

SHA512
d39d1e08cce86d2651379ec6ad785be951f9a6828fb37397db63d203451dd6790906425aed1ced0fd949a4ada79ccfa49140881bcbf87944688e66364b5c7dc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
53f9ea18af668977600a54bf6b46b19e

SHA1
b3227aa7dc5136fa55f518019b2b5a3dfbb69dfa

SHA256
e2c934e37d6bbff56859814d8a63c8c76c090e7646bad54ac64c962d869f074b

SHA512
d39d1e08cce86d2651379ec6ad785be951f9a6828fb37397db63d203451dd6790906425aed1ced0fd949a4ada79ccfa49140881bcbf87944688e66364b5c7dc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
53f9ea18af668977600a54bf6b46b19e

SHA1
b3227aa7dc5136fa55f518019b2b5a3dfbb69dfa

SHA256
e2c934e37d6bbff56859814d8a63c8c76c090e7646bad54ac64c962d869f074b

SHA512
d39d1e08cce86d2651379ec6ad785be951f9a6828fb37397db63d203451dd6790906425aed1ced0fd949a4ada79ccfa49140881bcbf87944688e66364b5c7dc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
53f9ea18af668977600a54bf6b46b19e

SHA1
b3227aa7dc5136fa55f518019b2b5a3dfbb69dfa

SHA256
e2c934e37d6bbff56859814d8a63c8c76c090e7646bad54ac64c962d869f074b

SHA512
d39d1e08cce86d2651379ec6ad785be951f9a6828fb37397db63d203451dd6790906425aed1ced0fd949a4ada79ccfa49140881bcbf87944688e66364b5c7dc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
53f9ea18af668977600a54bf6b46b19e

SHA1
b3227aa7dc5136fa55f518019b2b5a3dfbb69dfa

SHA256
e2c934e37d6bbff56859814d8a63c8c76c090e7646bad54ac64c962d869f074b

SHA512
d39d1e08cce86d2651379ec6ad785be951f9a6828fb37397db63d203451dd6790906425aed1ced0fd949a4ada79ccfa49140881bcbf87944688e66364b5c7dc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
53f9ea18af668977600a54bf6b46b19e

SHA1
b3227aa7dc5136fa55f518019b2b5a3dfbb69dfa

SHA256
e2c934e37d6bbff56859814d8a63c8c76c090e7646bad54ac64c962d869f074b

SHA512
d39d1e08cce86d2651379ec6ad785be951f9a6828fb37397db63d203451dd6790906425aed1ced0fd949a4ada79ccfa49140881bcbf87944688e66364b5c7dc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
01afe70f3d971e8f317f1bdea67af004

SHA1
3192f8ab03a160d34dc4cd41c1345dcb7d7f2cf2

SHA256
566bb6f7d41bc6c976a53d7e7b5eaa0851fb4c1168cb747bd4d68423a2c5255d

SHA512
df78091d579dcc6b8aebaca2791823b17eb902172dddeb44bf197166e6bb0f3eae29218ea5f9f7c470293ec699f2658f162cb9a2c304f3cc205fca0b42222c34

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
01afe70f3d971e8f317f1bdea67af004

SHA1
3192f8ab03a160d34dc4cd41c1345dcb7d7f2cf2

SHA256
566bb6f7d41bc6c976a53d7e7b5eaa0851fb4c1168cb747bd4d68423a2c5255d

SHA512
df78091d579dcc6b8aebaca2791823b17eb902172dddeb44bf197166e6bb0f3eae29218ea5f9f7c470293ec699f2658f162cb9a2c304f3cc205fca0b42222c34

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
01afe70f3d971e8f317f1bdea67af004

SHA1
3192f8ab03a160d34dc4cd41c1345dcb7d7f2cf2

SHA256
566bb6f7d41bc6c976a53d7e7b5eaa0851fb4c1168cb747bd4d68423a2c5255d

SHA512
df78091d579dcc6b8aebaca2791823b17eb902172dddeb44bf197166e6bb0f3eae29218ea5f9f7c470293ec699f2658f162cb9a2c304f3cc205fca0b42222c34

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
01afe70f3d971e8f317f1bdea67af004

SHA1
3192f8ab03a160d34dc4cd41c1345dcb7d7f2cf2

SHA256
566bb6f7d41bc6c976a53d7e7b5eaa0851fb4c1168cb747bd4d68423a2c5255d

SHA512
df78091d579dcc6b8aebaca2791823b17eb902172dddeb44bf197166e6bb0f3eae29218ea5f9f7c470293ec699f2658f162cb9a2c304f3cc205fca0b42222c34

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
91ee6cd86926ecf4b6c1c4d65ccabe97

SHA1
77860ec379cb795133415db227c5643ab1d43050

SHA256
7d859383dd1416abfba7d89f3acab1e3224fc8daad3a238e842e657f33227a94

SHA512
2cb3780c1a9ad003ed1435f523dc42f9eac88371215a89811310981a0eb2b63293ebefe42ac1f4cd72fc266298a604ecc174720c96f5a37a1c5af75350c4abbb

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
91ee6cd86926ecf4b6c1c4d65ccabe97

SHA1
77860ec379cb795133415db227c5643ab1d43050

SHA256
7d859383dd1416abfba7d89f3acab1e3224fc8daad3a238e842e657f33227a94

SHA512
2cb3780c1a9ad003ed1435f523dc42f9eac88371215a89811310981a0eb2b63293ebefe42ac1f4cd72fc266298a604ecc174720c96f5a37a1c5af75350c4abbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\400574492\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\400574492\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c1ad34fff2c8345ecabff25a0b4c2cbc

SHA1
fb8e32c99fd578975ec7f34793aa990cf87557ef

SHA256
daa5234ba155303f0917662506c5d82e5bd3f5e48459d34ddeca77b8c52e05e2

SHA512
1f055ad797132ce766cc073968e43a38ca7ebb929e3c6f02d7d365fdc253facc33ff8c60964a32a50a2d314a1346a1fab0537279b8cbfcc053213dcbbed9911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
c1ad34fff2c8345ecabff25a0b4c2cbc

SHA1
fb8e32c99fd578975ec7f34793aa990cf87557ef

SHA256
daa5234ba155303f0917662506c5d82e5bd3f5e48459d34ddeca77b8c52e05e2

SHA512
1f055ad797132ce766cc073968e43a38ca7ebb929e3c6f02d7d365fdc253facc33ff8c60964a32a50a2d314a1346a1fab0537279b8cbfcc053213dcbbed9911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
96189934c8d8d761186af98f53eef1c5

SHA1
37d07387243b8be48f35ce1faa6628389dafc91a

SHA256
e5b6787dcc347a85f6bb96604760521a82d571125dd7b2bc139f251645feea86

SHA512
6ef6d902310649568c7c7781b55a96637961f881c316092c0057a50b5b9afe4d08da9fe1cf8c0706dd80b12b37f61eed805dc5fc5ee555061a8195cdfba56367

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
2925a8c4fa698f1e8c4cc77fd0870827

SHA1
3dd329f51246bf57fdcf21a6f001a1c6eb17ffd1

SHA256
cc2086f2637c922d452c8ed250792b0741d88875b31c7a434ffb1d55c25ffe8a

SHA512
cbfa88be200fa79a6df3a6e75d7097542b7bfc15928ea1a2232a80d0c8388f5f788c9e3ac9e9bf63b19ee57544d78f4451f0cde0fabc60bf83736919d476f16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
2925a8c4fa698f1e8c4cc77fd0870827

SHA1
3dd329f51246bf57fdcf21a6f001a1c6eb17ffd1

SHA256
cc2086f2637c922d452c8ed250792b0741d88875b31c7a434ffb1d55c25ffe8a

SHA512
cbfa88be200fa79a6df3a6e75d7097542b7bfc15928ea1a2232a80d0c8388f5f788c9e3ac9e9bf63b19ee57544d78f4451f0cde0fabc60bf83736919d476f16b

Download Submit
C:\backup.exe

Filesize
72KB

MD5
26854794ae806aa02e32e792c6fa4f2b

SHA1
d317bb391a1fb79495f18aa18e69e8c24970d5f5

SHA256
9f83d1f7dc9a5eda2c95dbdf7bbf09149ba5a1277ce87fef90366222a9d24a24

SHA512
54f429c8942f2df271f98818a350ac3cd8a6d3c72998542d37d2cac7b05f9ad3c8ef47875701ce659058737ce29abf8cd8a5ea034ed52c614399e3afa9663665

Download Submit
C:\backup.exe

Filesize
72KB

MD5
26854794ae806aa02e32e792c6fa4f2b

SHA1
d317bb391a1fb79495f18aa18e69e8c24970d5f5

SHA256
9f83d1f7dc9a5eda2c95dbdf7bbf09149ba5a1277ce87fef90366222a9d24a24

SHA512
54f429c8942f2df271f98818a350ac3cd8a6d3c72998542d37d2cac7b05f9ad3c8ef47875701ce659058737ce29abf8cd8a5ea034ed52c614399e3afa9663665

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
7218ff51a1646fe65cf9d259a7114842

SHA1
e32780e065e67d452a7a32594c75b091c7596a8f

SHA256
9d3a1992790c11b6c88dc0858e249f05b0456d08a215a2f340c27097ae52e476

SHA512
37bf80a2c2cc272a121c1c6576fc86bded34cfab1f41a057c95842ca4f0b5748809884751140da214b31471a6c5a432eb8b1950ea617f17fb3a464230a33a8be

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
7218ff51a1646fe65cf9d259a7114842

SHA1
e32780e065e67d452a7a32594c75b091c7596a8f

SHA256
9d3a1992790c11b6c88dc0858e249f05b0456d08a215a2f340c27097ae52e476

SHA512
37bf80a2c2cc272a121c1c6576fc86bded34cfab1f41a057c95842ca4f0b5748809884751140da214b31471a6c5a432eb8b1950ea617f17fb3a464230a33a8be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads