dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3

Analysis

max time kernel
152s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe
Size

72KB
MD5

843bc71bcf62ca3a6791fa1fc1a15200
SHA1

741a4565c6fd94a5a839b45638660a22de742b4f
SHA256

dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3
SHA512

0e3fab49a50605b4c6dc811e7bbe97a7bdacfe07c9b399197431130b9c8f0d5854dd61497c129ee472805e08ca76473c032d6e5441446b1de71f6cb7b146025e
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyvUi:HeT7BVwxfvqguKRFAbi

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4908	backup.exe
1212	backup.exe
2896	backup.exe
2784	backup.exe
220	backup.exe
4728	backup.exe
3904	backup.exe
3040	backup.exe
1668	backup.exe
3332	backup.exe
2132	backup.exe
3372	backup.exe
4948	backup.exe
1364	backup.exe
1664	backup.exe
832	backup.exe
2840	backup.exe
932	backup.exe
1592	backup.exe
3660	backup.exe
1288	backup.exe
3464	backup.exe
3444	backup.exe
2640	backup.exe
2388	backup.exe
8	backup.exe
4084	backup.exe
4680	backup.exe
5008	backup.exe
920	backup.exe
3268	backup.exe
2192	backup.exe
3584	backup.exe
1844	backup.exe
3368	backup.exe
1108	backup.exe
2936	backup.exe
2204	backup.exe
3700	backup.exe
1196	backup.exe
4888	backup.exe
4640	update.exe
3952	backup.exe
3936	backup.exe
2628	backup.exe
4584	backup.exe
4560	backup.exe
2168	backup.exe
4704	backup.exe
1688	backup.exe
3340	backup.exe
1704	backup.exe
5000	update.exe
2896	backup.exe
372	backup.exe
220	data.exe
5112	data.exe
3016	data.exe
4728	backup.exe
2424	backup.exe
5036	backup.exe
2216	backup.exe
2128	backup.exe
4720	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe	backup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\System Restore.exe	update.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	update.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\System Restore.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe
4908	backup.exe
1212	backup.exe
2896	backup.exe
2784	backup.exe
220	backup.exe
4728	backup.exe
3904	backup.exe
3040	backup.exe
1668	backup.exe
3332	backup.exe
2132	backup.exe
3372	backup.exe
4948	backup.exe
1364	backup.exe
1664	backup.exe
832	backup.exe
2840	backup.exe
932	backup.exe
1592	backup.exe
3660	backup.exe
1288	backup.exe
3464	backup.exe
3444	backup.exe
2640	backup.exe
2388	backup.exe
8	backup.exe
4084	backup.exe
4680	backup.exe
5008	backup.exe
920	backup.exe
3268	backup.exe
2192	backup.exe
3584	backup.exe
3368	backup.exe
1108	backup.exe
2936	backup.exe
1844	backup.exe
2204	backup.exe
1196	backup.exe
3700	backup.exe
4888	backup.exe
4640	update.exe
3952	backup.exe
2628	backup.exe
4584	backup.exe
3936	backup.exe
4560	backup.exe
2168	backup.exe
4704	backup.exe
1688	backup.exe
3340	backup.exe
1704	backup.exe
5000	update.exe
2896	backup.exe
372	backup.exe
220	data.exe
5112	data.exe
3016	data.exe
4728	backup.exe
2424	backup.exe
5036	backup.exe
2216	backup.exe
2128	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4908	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	84
PID 4856 wrote to memory of 4908	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	84
PID 4856 wrote to memory of 4908	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	84
PID 4856 wrote to memory of 1212	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	86
PID 4856 wrote to memory of 1212	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	86
PID 4856 wrote to memory of 1212	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	86
PID 4856 wrote to memory of 2896	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	87
PID 4856 wrote to memory of 2896	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	87
PID 4856 wrote to memory of 2896	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	87
PID 4856 wrote to memory of 2784	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	88
PID 4856 wrote to memory of 2784	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	88
PID 4856 wrote to memory of 2784	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	88
PID 4856 wrote to memory of 220	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	89
PID 4856 wrote to memory of 220	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	89
PID 4856 wrote to memory of 220	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	89
PID 4856 wrote to memory of 4728	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	90
PID 4856 wrote to memory of 4728	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	90
PID 4856 wrote to memory of 4728	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	90
PID 4908 wrote to memory of 3904	4908	backup.exe	91
PID 4908 wrote to memory of 3904	4908	backup.exe	91
PID 4908 wrote to memory of 3904	4908	backup.exe	91
PID 4856 wrote to memory of 3040	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	92
PID 4856 wrote to memory of 3040	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	92
PID 4856 wrote to memory of 3040	4856	dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe	92
PID 3904 wrote to memory of 1668	3904	backup.exe	93
PID 3904 wrote to memory of 1668	3904	backup.exe	93
PID 3904 wrote to memory of 1668	3904	backup.exe	93
PID 3904 wrote to memory of 3332	3904	backup.exe	94
PID 3904 wrote to memory of 3332	3904	backup.exe	94
PID 3904 wrote to memory of 3332	3904	backup.exe	94
PID 3904 wrote to memory of 2132	3904	backup.exe	95
PID 3904 wrote to memory of 2132	3904	backup.exe	95
PID 3904 wrote to memory of 2132	3904	backup.exe	95
PID 2132 wrote to memory of 3372	2132	backup.exe	96
PID 2132 wrote to memory of 3372	2132	backup.exe	96
PID 2132 wrote to memory of 3372	2132	backup.exe	96
PID 3372 wrote to memory of 4948	3372	backup.exe	97
PID 3372 wrote to memory of 4948	3372	backup.exe	97
PID 3372 wrote to memory of 4948	3372	backup.exe	97
PID 2132 wrote to memory of 1364	2132	backup.exe	98
PID 2132 wrote to memory of 1364	2132	backup.exe	98
PID 2132 wrote to memory of 1364	2132	backup.exe	98
PID 1364 wrote to memory of 1664	1364	backup.exe	99
PID 1364 wrote to memory of 1664	1364	backup.exe	99
PID 1364 wrote to memory of 1664	1364	backup.exe	99
PID 1364 wrote to memory of 832	1364	backup.exe	100
PID 1364 wrote to memory of 832	1364	backup.exe	100
PID 1364 wrote to memory of 832	1364	backup.exe	100
PID 832 wrote to memory of 2840	832	backup.exe	101
PID 832 wrote to memory of 2840	832	backup.exe	101
PID 832 wrote to memory of 2840	832	backup.exe	101
PID 832 wrote to memory of 932	832	backup.exe	102
PID 832 wrote to memory of 932	832	backup.exe	102
PID 832 wrote to memory of 932	832	backup.exe	102
PID 932 wrote to memory of 1592	932	backup.exe	103
PID 932 wrote to memory of 1592	932	backup.exe	103
PID 932 wrote to memory of 1592	932	backup.exe	103
PID 932 wrote to memory of 3660	932	backup.exe	104
PID 932 wrote to memory of 3660	932	backup.exe	104
PID 932 wrote to memory of 3660	932	backup.exe	104
PID 932 wrote to memory of 1288	932	backup.exe	105
PID 932 wrote to memory of 1288	932	backup.exe	105
PID 932 wrote to memory of 1288	932	backup.exe	105
PID 932 wrote to memory of 3464	932	backup.exe	106

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe
"C:\Users\Admin\AppData\Local\Temp\dc1265db31eaa918673e0c425fae4f2cf1ab5f1fb389f0afd61e61b2275fe9e3.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\13669749\backup.exe
  C:\Users\Admin\AppData\Local\Temp\13669749\backup.exe C:\Users\Admin\AppData\Local\Temp\13669749\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4908
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1668
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3332
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2132
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3372
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4948
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1364
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1664
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:832
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3464
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3444
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2388
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5008
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3268
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2192
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3584
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3952
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5112
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:3712
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        System policy modification
        
        PID:1248
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:3112
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        System policy modification
        
        PID:4032
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:828
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:3216
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:5000
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:4144
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:1228
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        System policy modification
        
        PID:3200
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:4268
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:2552
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2776
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:3264
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5052
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:1432
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3700
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:5052
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:4724
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1948
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4496
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2220
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1144
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:4912
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:4624
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        System policy modification
        
        PID:4756
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        System policy modification
        
        PID:2344
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Drops file in Program Files directory
        
        PID:728
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        System policy modification
        
        PID:3432
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
      - C:\Program Files\Common Files\System\update.exe
        
        "C:\Program Files\Common Files\System\update.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Program Files\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\update.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5000
        
        C:\Program Files\Common Files\System\ado\en-US\data.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\data.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:220
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2424
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1348
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1616
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:3512
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:920
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1008
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2824
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4036
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:3664
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1532
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3660
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:880
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:4032
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:752
        
        C:\Program Files\Common Files\System\Ole DB\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\update.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2424
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3040
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3116
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        System policy modification
        
        PID:2208
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:3960
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3368
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1196
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:4312
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:2596
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3648
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:1164
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4128
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2004
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:3428
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:4472
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3828
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:4936
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2916
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2060
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        System policy modification
        
        PID:3628
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        System policy modification
        
        PID:4976
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4140
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:3492
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4228
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:2120
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Drops file in Program Files directory
        
        PID:1788
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4912
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4128
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4620
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:3652
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:400
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:1040
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1844
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2204
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        System policy modification
        
        PID:4620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:4320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        System policy modification
        
        PID:4420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:3116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:4220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:3692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        System policy modification
        
        PID:2468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        System policy modification
        
        PID:2116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:3800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:4196
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:2500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:3936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:3572
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:4160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        System policy modification
        
        PID:2488
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:3732
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1892
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1736
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:548
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:4928
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:1896
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:2856
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        System policy modification
        
        PID:2076
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Drops file in Program Files directory
        
        PID:1280
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:3404
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:1908
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:1200
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        Drops file in Program Files directory
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        System policy modification
        
        PID:4484
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:4052
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        System policy modification
        
        PID:2548
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:4016
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3452
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1664
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:2544
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:1900
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:2664
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        
        PID:1772
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        Drops file in Program Files directory
        
        PID:4548
        
        C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
        8⤵
        
        PID:2416
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4872
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:3628
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:456
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:5040
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4076
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:4060
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2304
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:3556
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2128
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2236
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2964
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:228
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        System policy modification
        
        PID:2304
        
        C:\Users\Admin\Pictures\Camera Roll\System Restore.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\System Restore.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        System policy modification
        
        PID:4488
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
      - C:\Users\Admin\Searches\System Restore.exe
        
        "C:\Users\Admin\Searches\System Restore.exe" C:\Users\Admin\Searches\
        6⤵
        
        PID:4264
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:2284
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
    - - C:\Windows\appcompat\update.exe
        
        C:\Windows\appcompat\update.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:1408
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1412
        
        C:\Windows\appcompat\appraiser\Telemetry\System Restore.exe
        
        "C:\Windows\appcompat\appraiser\Telemetry\System Restore.exe" C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:816
      - C:\Windows\appcompat\encapsulation\System Restore.exe
        
        "C:\Windows\appcompat\encapsulation\System Restore.exe" C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:1296
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        System policy modification
        
        PID:4512
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:2628
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4952
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:4720
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:1068
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:220
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
c4ad6470d0df34c93287769440645aa9

SHA1
6e5b576e8758640580789a166b2630c2905bd844

SHA256
967473c90564e98f196df4aad4cf8f68ee4b23d3cff04a50be8e9a838ca1f886

SHA512
693d851bf9ca7f68f107954bb9559a73280a4998e73d53c748045a5b01a58f47264954d8906307bd690022cbc7967e35264e31b21c24f14e9a962bc402b0dce0

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
c4ad6470d0df34c93287769440645aa9

SHA1
6e5b576e8758640580789a166b2630c2905bd844

SHA256
967473c90564e98f196df4aad4cf8f68ee4b23d3cff04a50be8e9a838ca1f886

SHA512
693d851bf9ca7f68f107954bb9559a73280a4998e73d53c748045a5b01a58f47264954d8906307bd690022cbc7967e35264e31b21c24f14e9a962bc402b0dce0

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1641fe1b2575425548ad59a51018cf51

SHA1
f4521d7712cdc1aed12145daeeca38604c73d983

SHA256
1dc01941a2006646c1ebf6a5a2951e6d68737dae7dd2bce34e7ac305c6cdcd24

SHA512
e08fc47db3c899c14e23abd9bf287dc054daf174f96058007b010e9abe9f8dae5d40686475c98492e149b75136168e24d77fd83e17457d2043cac59dbaec6d01

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
1641fe1b2575425548ad59a51018cf51

SHA1
f4521d7712cdc1aed12145daeeca38604c73d983

SHA256
1dc01941a2006646c1ebf6a5a2951e6d68737dae7dd2bce34e7ac305c6cdcd24

SHA512
e08fc47db3c899c14e23abd9bf287dc054daf174f96058007b010e9abe9f8dae5d40686475c98492e149b75136168e24d77fd83e17457d2043cac59dbaec6d01

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e7db470cc871bdec384b5d617032dd17

SHA1
5d7fb317a626a696cb72e46f32794cfc844ff623

SHA256
1a7fec5ae42670f8c612402d28dcae7ad19f80c04b0965f4ecfe444a2f8861f2

SHA512
41f12e5bb5537363a9d6bfcff7191e53a0038cc6a90d6464c988ed6aea29bd3b453d12fcc10df72470c910fe62a3e7b6e2769a0c3cd43507ca873dba5bae3934

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e7db470cc871bdec384b5d617032dd17

SHA1
5d7fb317a626a696cb72e46f32794cfc844ff623

SHA256
1a7fec5ae42670f8c612402d28dcae7ad19f80c04b0965f4ecfe444a2f8861f2

SHA512
41f12e5bb5537363a9d6bfcff7191e53a0038cc6a90d6464c988ed6aea29bd3b453d12fcc10df72470c910fe62a3e7b6e2769a0c3cd43507ca873dba5bae3934

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
fdd8affba3753f191852427cb711de12

SHA1
bb0b900b61615ea252dec9fe992e85efb158301f

SHA256
110b1f25e3dacb68406ed1974cfea4ab6e0134d8d8b40d33b10da3f1bb36400c

SHA512
ae97b3bd1dd7af108da9f075756b1abee7682c037dcf72f7b10402446c8df849346b9e468583536d978ed45d143295a9c8980ef48c3b1ed3713ca0a31a887915

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
fdd8affba3753f191852427cb711de12

SHA1
bb0b900b61615ea252dec9fe992e85efb158301f

SHA256
110b1f25e3dacb68406ed1974cfea4ab6e0134d8d8b40d33b10da3f1bb36400c

SHA512
ae97b3bd1dd7af108da9f075756b1abee7682c037dcf72f7b10402446c8df849346b9e468583536d978ed45d143295a9c8980ef48c3b1ed3713ca0a31a887915

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
eb9a498265377fe5720debb210f3da0e

SHA1
d6fe403cc45bde5fac118e2ce9ba27d4ccba803c

SHA256
ad5e3cbe5a630aec1fea4cdaf30a1d86dd57a4e330ea4341df5f3e3f78837d44

SHA512
576053a7d9b3e13e126d467ef6b6b95c945fe6f8385c44e387d145cea8610231e82a6800d2efad5fa162367fba4604ed01dbffba635407f8ec683099b00a2b41

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
eb9a498265377fe5720debb210f3da0e

SHA1
d6fe403cc45bde5fac118e2ce9ba27d4ccba803c

SHA256
ad5e3cbe5a630aec1fea4cdaf30a1d86dd57a4e330ea4341df5f3e3f78837d44

SHA512
576053a7d9b3e13e126d467ef6b6b95c945fe6f8385c44e387d145cea8610231e82a6800d2efad5fa162367fba4604ed01dbffba635407f8ec683099b00a2b41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
b491d5019425825041a9234dc5c2aa7b

SHA1
27044ad917118f8f1be5f0c5ca8662839141e7ca

SHA256
a829622065fcb83c64dcdbbf9f344c840f707660d431be4eb82b795cfe90883d

SHA512
2a91568e04a2d52af43bf219f2f9e5016fa96015d2d2b6a84281ef5f0299a701008c082e9dd368be6a57d48ad64f796f6199672b30b3f9551093e4fb4bf46aa1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
b491d5019425825041a9234dc5c2aa7b

SHA1
27044ad917118f8f1be5f0c5ca8662839141e7ca

SHA256
a829622065fcb83c64dcdbbf9f344c840f707660d431be4eb82b795cfe90883d

SHA512
2a91568e04a2d52af43bf219f2f9e5016fa96015d2d2b6a84281ef5f0299a701008c082e9dd368be6a57d48ad64f796f6199672b30b3f9551093e4fb4bf46aa1

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
6a2525379a461c5cd69ec5729d7a4718

SHA1
d3b78b5a5295c935bb233bb11a1fe095e81a9908

SHA256
045555fa912f2dd495be8524c1978797066d32c6b3edc5209e7b561b75a5abab

SHA512
3b51029ae6b397dc92072e2d8755b4a45c18dbc9114b56ce15d6322c12135e84d647352595368a204197221c4c79f0960cd1c894bceeeeddc353cfaf0433abc5

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
6a2525379a461c5cd69ec5729d7a4718

SHA1
d3b78b5a5295c935bb233bb11a1fe095e81a9908

SHA256
045555fa912f2dd495be8524c1978797066d32c6b3edc5209e7b561b75a5abab

SHA512
3b51029ae6b397dc92072e2d8755b4a45c18dbc9114b56ce15d6322c12135e84d647352595368a204197221c4c79f0960cd1c894bceeeeddc353cfaf0433abc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b491d5019425825041a9234dc5c2aa7b

SHA1
27044ad917118f8f1be5f0c5ca8662839141e7ca

SHA256
a829622065fcb83c64dcdbbf9f344c840f707660d431be4eb82b795cfe90883d

SHA512
2a91568e04a2d52af43bf219f2f9e5016fa96015d2d2b6a84281ef5f0299a701008c082e9dd368be6a57d48ad64f796f6199672b30b3f9551093e4fb4bf46aa1

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b491d5019425825041a9234dc5c2aa7b

SHA1
27044ad917118f8f1be5f0c5ca8662839141e7ca

SHA256
a829622065fcb83c64dcdbbf9f344c840f707660d431be4eb82b795cfe90883d

SHA512
2a91568e04a2d52af43bf219f2f9e5016fa96015d2d2b6a84281ef5f0299a701008c082e9dd368be6a57d48ad64f796f6199672b30b3f9551093e4fb4bf46aa1

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
5b849cf8e9f49e37c6339db4c0739429

SHA1
2d63ef276a80d302d88cf2b4910b167da4c1e1c8

SHA256
57befec0eac2d06700a6f75fcc4eec4f1015ba4d28bfdf8fda83904fa4c5d88f

SHA512
639bafcfbe134fc290041c1f3475bbbd2583a71a9f5a2b1febf43cccbaa3ed6435857d9ae0ccc6f87e54dfd4c8e38620e32203f4518e9b9077a162e5ef69645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
538c7ceee970805dc9b1d4e6d89fbcd7

SHA1
1d6ca00969fd8ef8a0c720d1b8b1febd07df972d

SHA256
09bc2b70d4b94cf3b48894698db5ec0ed17d07a0155a9af0753fa7875628fb21

SHA512
60ef002e8c64276d825d5787b5def5a831034be5a582481d8984c7414ee0c89e3011d0368cb41b7ba0c79d40b30b22c5d17d7f07ce23137bfd58ddd2954caae7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
7945fa31d1ba00d1bbc55264abe1ba75

SHA1
dc6d3c3ac938564556ed4c706a471f496b5cb8d8

SHA256
8b31036a7705910b821123a459565dc91fe12d55e1be9f810b0b037fe7992d4f

SHA512
7e844c8b2c3da114795ba742b4fd9f0b04356e1dfe873976f3b86be29275f960a3f99838aba5f1a5e0d8d48a0b703584c3782fc149dfa0a4696bd06bc4c4c698

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
768d00cfef5533b7cd2ede7d055e253a

SHA1
fa5cb5fe3b8506e904afea8ff30437452af621a4

SHA256
15b3dd6a92ede49afb64e42eb450c432ba4b404d5b52e10760cde1be1b89117a

SHA512
1e49b8f94ab33fdfa23596203a0fbd28f439ddb8615fcb154cf4cad1df4ee4f46687d17d2130627011ce4b2dc05ba41f1ab59671ec11831fbdb7848f55ca917d

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
768d00cfef5533b7cd2ede7d055e253a

SHA1
fa5cb5fe3b8506e904afea8ff30437452af621a4

SHA256
15b3dd6a92ede49afb64e42eb450c432ba4b404d5b52e10760cde1be1b89117a

SHA512
1e49b8f94ab33fdfa23596203a0fbd28f439ddb8615fcb154cf4cad1df4ee4f46687d17d2130627011ce4b2dc05ba41f1ab59671ec11831fbdb7848f55ca917d

Download Submit
C:\Users\Admin\AppData\Local\Temp\13669749\backup.exe

Filesize
72KB

MD5
0d9b3daa412f4cede63c756be736eadf

SHA1
e617b03c3bec26b8bc72a3009fdf27b31162bb2f

SHA256
19c041dcdac65a162f05ea8fe5f7a9085fdd9993e070e52598192adda16a1a6f

SHA512
e8ceba0387ba1f577e0731cb843f8cc5fd8c13490823bb83bb3343be897ec15a392ee8065908a250ae911619952f505053d4310b1376913e5f82e0032168ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\13669749\backup.exe

Filesize
72KB

MD5
0d9b3daa412f4cede63c756be736eadf

SHA1
e617b03c3bec26b8bc72a3009fdf27b31162bb2f

SHA256
19c041dcdac65a162f05ea8fe5f7a9085fdd9993e070e52598192adda16a1a6f

SHA512
e8ceba0387ba1f577e0731cb843f8cc5fd8c13490823bb83bb3343be897ec15a392ee8065908a250ae911619952f505053d4310b1376913e5f82e0032168ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
91ed366c1d7a45a67b6a98ae2fa52eb3

SHA1
ad55d94d1f1273c7cba185a12f9a16d8a28f2ebf

SHA256
584382e91931775076344377ba71d15724ab6bc11295a7789af518c785931799

SHA512
133ab594a883f4281b1417b72a3a53d9c7b80c21f3e5155dd92d08a366d2f7c2267f26a6d3b62effb9d053416814491c7f9b64a551301ca137a8cc6d3d37cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
91ed366c1d7a45a67b6a98ae2fa52eb3

SHA1
ad55d94d1f1273c7cba185a12f9a16d8a28f2ebf

SHA256
584382e91931775076344377ba71d15724ab6bc11295a7789af518c785931799

SHA512
133ab594a883f4281b1417b72a3a53d9c7b80c21f3e5155dd92d08a366d2f7c2267f26a6d3b62effb9d053416814491c7f9b64a551301ca137a8cc6d3d37cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
91ed366c1d7a45a67b6a98ae2fa52eb3

SHA1
ad55d94d1f1273c7cba185a12f9a16d8a28f2ebf

SHA256
584382e91931775076344377ba71d15724ab6bc11295a7789af518c785931799

SHA512
133ab594a883f4281b1417b72a3a53d9c7b80c21f3e5155dd92d08a366d2f7c2267f26a6d3b62effb9d053416814491c7f9b64a551301ca137a8cc6d3d37cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
91ed366c1d7a45a67b6a98ae2fa52eb3

SHA1
ad55d94d1f1273c7cba185a12f9a16d8a28f2ebf

SHA256
584382e91931775076344377ba71d15724ab6bc11295a7789af518c785931799

SHA512
133ab594a883f4281b1417b72a3a53d9c7b80c21f3e5155dd92d08a366d2f7c2267f26a6d3b62effb9d053416814491c7f9b64a551301ca137a8cc6d3d37cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
91ed366c1d7a45a67b6a98ae2fa52eb3

SHA1
ad55d94d1f1273c7cba185a12f9a16d8a28f2ebf

SHA256
584382e91931775076344377ba71d15724ab6bc11295a7789af518c785931799

SHA512
133ab594a883f4281b1417b72a3a53d9c7b80c21f3e5155dd92d08a366d2f7c2267f26a6d3b62effb9d053416814491c7f9b64a551301ca137a8cc6d3d37cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
91ed366c1d7a45a67b6a98ae2fa52eb3

SHA1
ad55d94d1f1273c7cba185a12f9a16d8a28f2ebf

SHA256
584382e91931775076344377ba71d15724ab6bc11295a7789af518c785931799

SHA512
133ab594a883f4281b1417b72a3a53d9c7b80c21f3e5155dd92d08a366d2f7c2267f26a6d3b62effb9d053416814491c7f9b64a551301ca137a8cc6d3d37cbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
0d9b3daa412f4cede63c756be736eadf

SHA1
e617b03c3bec26b8bc72a3009fdf27b31162bb2f

SHA256
19c041dcdac65a162f05ea8fe5f7a9085fdd9993e070e52598192adda16a1a6f

SHA512
e8ceba0387ba1f577e0731cb843f8cc5fd8c13490823bb83bb3343be897ec15a392ee8065908a250ae911619952f505053d4310b1376913e5f82e0032168ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
0d9b3daa412f4cede63c756be736eadf

SHA1
e617b03c3bec26b8bc72a3009fdf27b31162bb2f

SHA256
19c041dcdac65a162f05ea8fe5f7a9085fdd9993e070e52598192adda16a1a6f

SHA512
e8ceba0387ba1f577e0731cb843f8cc5fd8c13490823bb83bb3343be897ec15a392ee8065908a250ae911619952f505053d4310b1376913e5f82e0032168ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
0d9b3daa412f4cede63c756be736eadf

SHA1
e617b03c3bec26b8bc72a3009fdf27b31162bb2f

SHA256
19c041dcdac65a162f05ea8fe5f7a9085fdd9993e070e52598192adda16a1a6f

SHA512
e8ceba0387ba1f577e0731cb843f8cc5fd8c13490823bb83bb3343be897ec15a392ee8065908a250ae911619952f505053d4310b1376913e5f82e0032168ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
0d9b3daa412f4cede63c756be736eadf

SHA1
e617b03c3bec26b8bc72a3009fdf27b31162bb2f

SHA256
19c041dcdac65a162f05ea8fe5f7a9085fdd9993e070e52598192adda16a1a6f

SHA512
e8ceba0387ba1f577e0731cb843f8cc5fd8c13490823bb83bb3343be897ec15a392ee8065908a250ae911619952f505053d4310b1376913e5f82e0032168ed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
9493c1a731afa88d0060d91a00706dd3

SHA1
eaef1f68666337d3f90f979f4adffbf099e7abd3

SHA256
5958e467632a2e67035dd163bdd164530af2c74951beff1456bf98bf920d89c5

SHA512
f82d4b8c6700c2afec1332affc0d3b9a8b7026f79b7717f68e0033cfa615945f2747d936d2ed1bea06fa6008bf51c83ae4442c7b42baa163e3e9d2cf0ae5e5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
9493c1a731afa88d0060d91a00706dd3

SHA1
eaef1f68666337d3f90f979f4adffbf099e7abd3

SHA256
5958e467632a2e67035dd163bdd164530af2c74951beff1456bf98bf920d89c5

SHA512
f82d4b8c6700c2afec1332affc0d3b9a8b7026f79b7717f68e0033cfa615945f2747d936d2ed1bea06fa6008bf51c83ae4442c7b42baa163e3e9d2cf0ae5e5df

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a062116d5d465ad6a88dc2955ded39fd

SHA1
bb8f2ef7a423772f341d843d31c9e27ed960e18b

SHA256
7130b81b7d736f5d2d5ba032ad0f98a3a1a34421e028208d7869ccc5940a19ff

SHA512
4f69fa7b04c88cf5ff686f7852a5f522d676324e41b2d0e2835d40642b2ee01984f2a948335b95412330543f4cbffe43126ce6ea8e58442f25701153e080fed7

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a062116d5d465ad6a88dc2955ded39fd

SHA1
bb8f2ef7a423772f341d843d31c9e27ed960e18b

SHA256
7130b81b7d736f5d2d5ba032ad0f98a3a1a34421e028208d7869ccc5940a19ff

SHA512
4f69fa7b04c88cf5ff686f7852a5f522d676324e41b2d0e2835d40642b2ee01984f2a948335b95412330543f4cbffe43126ce6ea8e58442f25701153e080fed7

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
715f1880d53d5e72ec522651e6cd5f8d

SHA1
55ae4368c7d7428c9debc94f3126d98ec0b2e31c

SHA256
ffa740c31b5719c70e85c90cc383f673e2ce9fedd59430bf96de2584f66e4641

SHA512
b7da4685de89e0f9df1bf856627d6740a64a0c74e5d70f341995f5b8e2cfeb06032b6169ddfe71cea1c9fe41e900f7ebd398b2ac91834b15034baa38925c3539

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
715f1880d53d5e72ec522651e6cd5f8d

SHA1
55ae4368c7d7428c9debc94f3126d98ec0b2e31c

SHA256
ffa740c31b5719c70e85c90cc383f673e2ce9fedd59430bf96de2584f66e4641

SHA512
b7da4685de89e0f9df1bf856627d6740a64a0c74e5d70f341995f5b8e2cfeb06032b6169ddfe71cea1c9fe41e900f7ebd398b2ac91834b15034baa38925c3539

Download Submit
memory/8-259-0x0000000000000000-mapping.dmp

Download
memory/220-154-0x0000000000000000-mapping.dmp

Download
memory/220-361-0x0000000000000000-mapping.dmp

Download
memory/372-357-0x0000000000000000-mapping.dmp

Download
memory/832-209-0x0000000000000000-mapping.dmp

Download
memory/920-279-0x0000000000000000-mapping.dmp

Download
memory/932-219-0x0000000000000000-mapping.dmp

Download
memory/1108-301-0x0000000000000000-mapping.dmp

Download
memory/1196-311-0x0000000000000000-mapping.dmp

Download
memory/1212-139-0x0000000000000000-mapping.dmp

Download
memory/1288-234-0x0000000000000000-mapping.dmp

Download
memory/1364-199-0x0000000000000000-mapping.dmp

Download
memory/1592-224-0x0000000000000000-mapping.dmp

Download
memory/1664-204-0x0000000000000000-mapping.dmp

Download
memory/1668-174-0x0000000000000000-mapping.dmp

Download
memory/1688-345-0x0000000000000000-mapping.dmp

Download
memory/1704-350-0x0000000000000000-mapping.dmp

Download
memory/1844-295-0x0000000000000000-mapping.dmp

Download
memory/2132-184-0x0000000000000000-mapping.dmp

Download
memory/2168-335-0x0000000000000000-mapping.dmp

Download
memory/2192-289-0x0000000000000000-mapping.dmp

Download
memory/2204-309-0x0000000000000000-mapping.dmp

Download
memory/2216-378-0x0000000000000000-mapping.dmp

Download
memory/2388-254-0x0000000000000000-mapping.dmp

Download
memory/2424-373-0x0000000000000000-mapping.dmp

Download
memory/2628-329-0x0000000000000000-mapping.dmp

Download
memory/2640-249-0x0000000000000000-mapping.dmp

Download
memory/2784-149-0x0000000000000000-mapping.dmp

Download
memory/2840-214-0x0000000000000000-mapping.dmp

Download
memory/2896-144-0x0000000000000000-mapping.dmp

Download
memory/2896-353-0x0000000000000000-mapping.dmp

Download
memory/2936-302-0x0000000000000000-mapping.dmp

Download
memory/3016-369-0x0000000000000000-mapping.dmp

Download
memory/3040-169-0x0000000000000000-mapping.dmp

Download
memory/3268-284-0x0000000000000000-mapping.dmp

Download
memory/3332-179-0x0000000000000000-mapping.dmp

Download
memory/3340-349-0x0000000000000000-mapping.dmp

Download
memory/3368-296-0x0000000000000000-mapping.dmp

Download
memory/3372-189-0x0000000000000000-mapping.dmp

Download
memory/3444-244-0x0000000000000000-mapping.dmp

Download
memory/3464-239-0x0000000000000000-mapping.dmp

Download
memory/3584-294-0x0000000000000000-mapping.dmp

Download
memory/3660-229-0x0000000000000000-mapping.dmp

Download
memory/3700-310-0x0000000000000000-mapping.dmp

Download
memory/3904-164-0x0000000000000000-mapping.dmp

Download
memory/3936-328-0x0000000000000000-mapping.dmp

Download
memory/3952-324-0x0000000000000000-mapping.dmp

Download
memory/4084-264-0x0000000000000000-mapping.dmp

Download
memory/4560-331-0x0000000000000000-mapping.dmp

Download
memory/4584-327-0x0000000000000000-mapping.dmp

Download
memory/4620-384-0x0000000000000000-mapping.dmp

Download
memory/4640-313-0x0000000000000000-mapping.dmp

Download
memory/4680-269-0x0000000000000000-mapping.dmp

Download
memory/4704-341-0x0000000000000000-mapping.dmp

Download
memory/4720-383-0x0000000000000000-mapping.dmp

Download
memory/4728-159-0x0000000000000000-mapping.dmp

Download
memory/4728-372-0x0000000000000000-mapping.dmp

Download
memory/4888-314-0x0000000000000000-mapping.dmp

Download
memory/4908-134-0x0000000000000000-mapping.dmp

Download
memory/4948-194-0x0000000000000000-mapping.dmp

Download
memory/5000-348-0x0000000000000000-mapping.dmp

Download
memory/5008-274-0x0000000000000000-mapping.dmp

Download
memory/5036-375-0x0000000000000000-mapping.dmp

Download
memory/5112-366-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads