33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f

Analysis

max time kernel
188s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe
Size

72KB
MD5

0d6ea4299a6b6f2a05d6f2f10a89930a
SHA1

25c625b87c419e9aeb435433a219649019b285a6
SHA256

33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f
SHA512

85418ec43d07c8f775d75eed9a70c17b3a1e2f44a13f0b2822180711d8122db622c83406b25ede31cd45349dcf23a502f35ac8b9c7e04968123b2856ef287e66
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k7MV:teThavEjDWguKU7c

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
972	backup.exe
808	backup.exe
4508	backup.exe
4672	data.exe
1144	backup.exe
2772	backup.exe
4456	backup.exe
1988	backup.exe
4300	backup.exe
32	update.exe
796	backup.exe
3536	backup.exe
2844	backup.exe
2332	update.exe
2636	backup.exe
4748	backup.exe
2708	backup.exe
4136	backup.exe
4400	backup.exe
3088	backup.exe
5068	backup.exe
1852	backup.exe
2180	backup.exe
1812	backup.exe
3420	backup.exe
3452	backup.exe
2808	backup.exe
3116	backup.exe
3092	backup.exe
2116	backup.exe
460	backup.exe
2376	backup.exe
1160	backup.exe
692	backup.exe
2856	backup.exe
1884	backup.exe
1736	backup.exe
3480	backup.exe
3036	backup.exe
1684	backup.exe
1276	backup.exe
4636	System Restore.exe
4460	backup.exe
1872	backup.exe
4852	backup.exe
4656	backup.exe
4820	backup.exe
1556	backup.exe
1788	backup.exe
2296	backup.exe
4848	backup.exe
3344	System Restore.exe
3856	data.exe
1308	backup.exe
4440	backup.exe
4688	backup.exe
4284	update.exe
4508	backup.exe
1144	backup.exe
4216	update.exe
3300	backup.exe
320	backup.exe
4368	backup.exe
3224	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\data.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\update.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	update.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\update.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\System Restore.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\backup.exe	backup.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe	backup.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	update.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\update.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe
972	backup.exe
808	backup.exe
4508	backup.exe
4672	data.exe
1144	backup.exe
2772	backup.exe
4456	backup.exe
1988	backup.exe
4300	backup.exe
32	update.exe
796	backup.exe
3536	backup.exe
2844	backup.exe
2332	update.exe
2636	backup.exe
4748	backup.exe
2708	backup.exe
4136	backup.exe
4400	backup.exe
3088	backup.exe
5068	backup.exe
1852	backup.exe
2180	backup.exe
1812	backup.exe
3420	backup.exe
3452	backup.exe
2808	backup.exe
3116	backup.exe
3092	backup.exe
2116	backup.exe
460	backup.exe
2376	backup.exe
1160	backup.exe
692	backup.exe
2856	backup.exe
1884	backup.exe
3480	backup.exe
1736	backup.exe
1684	backup.exe
1276	backup.exe
3036	backup.exe
4636	System Restore.exe
4460	backup.exe
1872	backup.exe
4852	backup.exe
4656	backup.exe
4820	backup.exe
1556	backup.exe
4848	backup.exe
2296	backup.exe
1788	backup.exe
3344	System Restore.exe
3856	data.exe
1308	backup.exe
4440	backup.exe
4688	backup.exe
4284	update.exe
4508	backup.exe
1144	backup.exe
3300	backup.exe
4216	update.exe
320	backup.exe
4368	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 972	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	80
PID 4812 wrote to memory of 972	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	80
PID 4812 wrote to memory of 972	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	80
PID 4812 wrote to memory of 808	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	81
PID 4812 wrote to memory of 808	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	81
PID 4812 wrote to memory of 808	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	81
PID 4812 wrote to memory of 4508	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	82
PID 4812 wrote to memory of 4508	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	82
PID 4812 wrote to memory of 4508	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	82
PID 4812 wrote to memory of 4672	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	83
PID 4812 wrote to memory of 4672	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	83
PID 4812 wrote to memory of 4672	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	83
PID 4812 wrote to memory of 1144	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	84
PID 4812 wrote to memory of 1144	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	84
PID 4812 wrote to memory of 1144	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	84
PID 972 wrote to memory of 2772	972	backup.exe	85
PID 972 wrote to memory of 2772	972	backup.exe	85
PID 972 wrote to memory of 2772	972	backup.exe	85
PID 4812 wrote to memory of 4456	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	114
PID 4812 wrote to memory of 4456	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	114
PID 4812 wrote to memory of 4456	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	114
PID 4812 wrote to memory of 1988	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	113
PID 4812 wrote to memory of 1988	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	113
PID 4812 wrote to memory of 1988	4812	33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe	113
PID 2772 wrote to memory of 4300	2772	backup.exe	112
PID 2772 wrote to memory of 4300	2772	backup.exe	112
PID 2772 wrote to memory of 4300	2772	backup.exe	112
PID 2772 wrote to memory of 32	2772	backup.exe	91
PID 2772 wrote to memory of 32	2772	backup.exe	91
PID 2772 wrote to memory of 32	2772	backup.exe	91
PID 2772 wrote to memory of 796	2772	backup.exe	88
PID 2772 wrote to memory of 796	2772	backup.exe	88
PID 2772 wrote to memory of 796	2772	backup.exe	88
PID 796 wrote to memory of 3536	796	backup.exe	87
PID 796 wrote to memory of 3536	796	backup.exe	87
PID 796 wrote to memory of 3536	796	backup.exe	87
PID 3536 wrote to memory of 2844	3536	backup.exe	86
PID 3536 wrote to memory of 2844	3536	backup.exe	86
PID 3536 wrote to memory of 2844	3536	backup.exe	86
PID 796 wrote to memory of 2332	796	backup.exe	90
PID 796 wrote to memory of 2332	796	backup.exe	90
PID 796 wrote to memory of 2332	796	backup.exe	90
PID 2332 wrote to memory of 2636	2332	update.exe	89
PID 2332 wrote to memory of 2636	2332	update.exe	89
PID 2332 wrote to memory of 2636	2332	update.exe	89
PID 2332 wrote to memory of 4748	2332	update.exe	111
PID 2332 wrote to memory of 4748	2332	update.exe	111
PID 2332 wrote to memory of 4748	2332	update.exe	111
PID 4748 wrote to memory of 2708	4748	backup.exe	92
PID 4748 wrote to memory of 2708	4748	backup.exe	92
PID 4748 wrote to memory of 2708	4748	backup.exe	92
PID 4748 wrote to memory of 4136	4748	backup.exe	93
PID 4748 wrote to memory of 4136	4748	backup.exe	93
PID 4748 wrote to memory of 4136	4748	backup.exe	93
PID 4136 wrote to memory of 4400	4136	backup.exe	110
PID 4136 wrote to memory of 4400	4136	backup.exe	110
PID 4136 wrote to memory of 4400	4136	backup.exe	110
PID 4136 wrote to memory of 3088	4136	backup.exe	109
PID 4136 wrote to memory of 3088	4136	backup.exe	109
PID 4136 wrote to memory of 3088	4136	backup.exe	109
PID 4136 wrote to memory of 5068	4136	backup.exe	94
PID 4136 wrote to memory of 5068	4136	backup.exe	94
PID 4136 wrote to memory of 5068	4136	backup.exe	94
PID 4136 wrote to memory of 1852	4136	backup.exe	95

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe
"C:\Users\Admin\AppData\Local\Temp\33c881cc8fc4338705fb7aa09c9e2b7ce1609f21df2128cd7e5d9c5d730e8a7f.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\3964565331\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3964565331\backup.exe C:\Users\Admin\AppData\Local\Temp\3964565331\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Program Files\Common Files\update.exe
        
        "C:\Program Files\Common Files\update.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4748
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4848
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4440
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3300
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:2092
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:2720
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\update.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:1928
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:1904
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        System policy modification
        
        PID:2704
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        System policy modification
        
        PID:4900
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:3584
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:2532
        
        C:\Program Files\Common Files\microsoft shared\Triedit\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\data.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:4148
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:4048
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3412
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        System policy modification
        
        PID:2608
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\update.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:2104
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3480
      - C:\Program Files\Common Files\System\System Restore.exe
        
        "C:\Program Files\Common Files\System\System Restore.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:3188
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:3148
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4192
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:5084
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:516
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4012
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:3884
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3488
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1796
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:4756
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        System policy modification
        
        PID:2524
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1728
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:964
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2392
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:3944
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:4780
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1612
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        System policy modification
        
        PID:768
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:800
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2296
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1236
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Program Files\Google\Chrome\Application\data.exe
        
        "C:\Program Files\Google\Chrome\Application\data.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4216
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:2740
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:5068
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:2160
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:3448
        
        C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2224
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1128
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:4092
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:2540
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:1656
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        System policy modification
        
        PID:3840
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\data.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2832
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:4200
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3500
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4204
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1236
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:5036
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:4832
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4456
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        System policy modification
        
        PID:3188
      - C:\Program Files\Mozilla Firefox\browser\features\data.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\data.exe" C:\Program Files\Mozilla Firefox\browser\features\
        6⤵
        
        PID:4272
      - C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        6⤵
        
        PID:1872
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:1276
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:748
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        
        PID:3920
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\update.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:3480
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:3716
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:1524
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3180
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:116
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        System policy modification
        
        PID:3292
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        
        PID:4060
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:964
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        
        PID:3500
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        System policy modification
        
        PID:3292
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\update.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        
        PID:2500
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        
        PID:4172
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        
        PID:2272
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        
        PID:5080
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
        9⤵
        Drops file in Program Files directory
        
        PID:3172
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        System policy modification
        
        PID:3920
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:4784
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
        9⤵
        
        PID:2680
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:4356
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:2296
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        
        PID:4364
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\data.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4940
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        
        PID:4792
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        
        PID:2676
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        
        PID:2288
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        
        PID:4636
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Drops file in Program Files directory
        
        PID:4888
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:3840
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:856
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\
        9⤵
        
        PID:3956
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:2096
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:2464
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:4612
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        
        PID:4632
      - C:\Program Files\Mozilla Firefox\browser\data.exe
        
        "C:\Program Files\Mozilla Firefox\browser\data.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:2832
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:4832
  - - C:\PerfLogs\update.exe
      C:\PerfLogs\update.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:32
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4300
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1736
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1788
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4688
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:3940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:1884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:2208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:2160
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        9⤵
        
        PID:260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:3128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:5100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:4148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:2180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:5104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        System policy modification
        
        PID:2828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:3356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:3932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        System policy modification
        
        PID:2696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:4008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:4752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:2084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:2728
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:1424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:4072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:5108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:3584
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:2708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:4492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:2388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3468
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:2644
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:920
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:880
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:3276
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        System policy modification
        
        PID:2140
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:920
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        System policy modification
        
        PID:3684
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:4752
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:3672
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:4552
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:4832
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:3676
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:3884
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:5092
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:4892
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        Drops file in Program Files directory
        
        PID:2836
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:3872
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        
        PID:3856
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:884
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:4000
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:1352
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        System policy modification
        
        PID:704
      - C:\Program Files (x86)\Common Files\System\update.exe
        
        "C:\Program Files (x86)\Common Files\System\update.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2944
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:3584
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:3684
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:3116
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1416
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3172
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:3460
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3380
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1272
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:4208
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2944
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3736
        
        C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\data.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\data.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
        8⤵
        
        PID:1132
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\update.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\update.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3352
        
        C:\Program Files (x86)\Google\Update\Offline\data.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\data.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:3636
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2580
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        System policy modification
        
        PID:4536
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:516
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:5116
      - C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3856
      - C:\Program Files (x86)\Internet Explorer\images\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\data.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:2008
      - C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:4876
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:3328
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4768
    - - C:\Program Files (x86)\Microsoft\update.exe
        
        "C:\Program Files (x86)\Microsoft\update.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:2304
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:3352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        System policy modification
        
        PID:460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        
        PID:384
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3240
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:2116
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:4120
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:3220
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:4852
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:532
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:4548
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2364
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:4904
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4304
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2208
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:4520
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:4116
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:4108
      - C:\Users\Admin\Music\data.exe
        
        C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
        6⤵
        System policy modification
        
        PID:4200
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Users\Admin\Pictures\Camera Roll\System Restore.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\System Restore.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:3132
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        System policy modification
        
        PID:3420
      - C:\Users\Admin\Saved Games\update.exe
        
        "C:\Users\Admin\Saved Games\update.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:3504
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        System policy modification
        
        PID:1412
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3660
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:4520
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:960
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:3188
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:2472
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:1668
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        System policy modification
        
        PID:2088
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:2828
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:1656
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:3852
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        System policy modification
        
        PID:1020
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1456
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:1512
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        System policy modification
        
        PID:4548
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        System policy modification
        
        PID:2948
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:3520
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:1312
      - C:\Windows\apppatch\ja-JP\System Restore.exe
        
        "C:\Windows\apppatch\ja-JP\System Restore.exe" C:\Windows\apppatch\ja-JP\
        6⤵
        System policy modification
        
        PID:2180
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:4316
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:4116
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:2816
        
        C:\Windows\assembly\GAC\ADODB\update.exe
        
        C:\Windows\assembly\GAC\ADODB\update.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        
        PID:4040
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3492
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        System policy modification
        
        PID:1864
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Drops file in Windows directory
        
        PID:3448
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:808
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\Low\data.exe
  C:\Users\Admin\AppData\Local\Temp\Low\data.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4456

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536

C:\Program Files\Common Files\DESIGNER\backup.exe
"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Program Files\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5068
- C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2180
- C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3452
- C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3116
- C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3092
- C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:460
- C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1160
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:692
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2856
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1872
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\update.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4284
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
    3⤵
    PID:2844
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:2708
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
    3⤵
    PID:3052
- C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2376
- C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2808
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\update.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
    3⤵
    PID:2212
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
      4⤵
      PID:3932
- C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3420
- C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3088
- C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4400
- C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1884
- C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4460
- C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4656
- C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\System Restore.exe
  "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3344
- C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4508
- C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:116
- C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
  2⤵
  - System policy modification
  PID:1920
- C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
  2⤵
  PID:2284
- C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
  2⤵
  PID:4480
- C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3452
- C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4164
- C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe
  "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
  2⤵
  PID:2828
- C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
  2⤵
  PID:4676
- C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
  2⤵
  PID:3980
- C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
  2⤵
  PID:1924
- C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
  2⤵
  PID:3464
- C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
  2⤵
  PID:2944
- - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
    "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
    3⤵
    PID:448
  - - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\update.exe
      "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\update.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
      4⤵
      PID:3068
- C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
  2⤵
  PID:1792
- C:\Program Files\Common Files\microsoft shared\ink\sl-SI\data.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\data.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
  2⤵
  PID:1512
- C:\Program Files\Common Files\microsoft shared\ink\sv-SE\System Restore.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
  2⤵
  PID:2212
- C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
  2⤵
  PID:4888
- C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4436
- C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
  2⤵
  - System policy modification
  PID:4656
- C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
  2⤵
  PID:3652
- C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4228
- C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
  2⤵
  PID:2132

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
1⤵
PID:1728
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
  2⤵
  PID:2072

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
1⤵
PID:4228

C:\Program Files\Microsoft Office\Office16\backup.exe
"C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
1⤵
PID:2388

C:\Program Files\Java\jdk1.8.0_66\include\win32\update.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\update.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
1⤵
PID:2860
- C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
  2⤵
  PID:1740

C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3704

C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
1⤵
PID:2260

C:\Users\Public\Downloads\data.exe
C:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\
1⤵
PID:1424

C:\Program Files\Microsoft Office\PackageManifests\backup.exe
"C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
1⤵
PID:3420

C:\Windows\apppatch\Custom\Custom64\backup.exe
C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
1⤵
- System policy modification
PID:4512

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
1⤵
PID:4760
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2112
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
    3⤵
    PID:3412
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Drops file in Program Files directory
    PID:1792
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2268
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
      4⤵
      PID:4808
    - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        5⤵
        
        PID:2808

C:\Program Files\Java\jre1.8.0_66\bin\plugin2\data.exe
"C:\Program Files\Java\jre1.8.0_66\bin\plugin2\data.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3876

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
1⤵
PID:4248

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
1⤵
PID:4332

C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
1⤵
- Drops file in Program Files directory
PID:3244
- C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
  2⤵
  PID:2576

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
1⤵
PID:4680

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
1⤵
PID:4260

C:\Program Files\Microsoft Office\root\backup.exe
"C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
1⤵
- Drops file in Program Files directory
- System policy modification
PID:3164
- C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
  "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
  2⤵
  PID:3200
- - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
    "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
    3⤵
    PID:1156
- - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
    "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
    3⤵
    - System policy modification
    PID:3848
- - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
    "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1140
- C:\Program Files\Microsoft Office\root\fre\backup.exe
  "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
  2⤵
  - System policy modification
  PID:2812
- C:\Program Files\Microsoft Office\root\Integration\backup.exe
  "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
  2⤵
  PID:4544
- - C:\Program Files\Microsoft Office\root\Integration\Addons\System Restore.exe
    "C:\Program Files\Microsoft Office\root\Integration\Addons\System Restore.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
    3⤵
    PID:4880
- C:\Program Files\Microsoft Office\root\Licenses\backup.exe
  "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System policy modification
  PID:1248
- C:\Program Files\Microsoft Office\root\loc\backup.exe
  "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
  2⤵
  PID:2088
- C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
  "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
  2⤵
  PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
  2⤵
  PID:2696

C:\Windows\Branding\Basebrd\de-DE\backup.exe
C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
1⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
1⤵
- System policy modification
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\update.exe

Filesize
72KB

MD5
ab11b9b710892c04a022231132ff6915

SHA1
2e06431c49bc422a0a389ae2236b8773d172ef07

SHA256
9f3645e9e10dc5052f86f77b6f8d7f65fffa1636a100e8f6004ae2e0361ddc16

SHA512
dc044ad894e8ca5a4ace5019ca9aa25c845445e46d4aa2f5479b7aa9222992997711b5280f813c21b7b78e1f6e071e7c9885b353b30e7292cd5a9067ddafdbcb

Download Submit
C:\PerfLogs\update.exe

Filesize
72KB

MD5
ab11b9b710892c04a022231132ff6915

SHA1
2e06431c49bc422a0a389ae2236b8773d172ef07

SHA256
9f3645e9e10dc5052f86f77b6f8d7f65fffa1636a100e8f6004ae2e0361ddc16

SHA512
dc044ad894e8ca5a4ace5019ca9aa25c845445e46d4aa2f5479b7aa9222992997711b5280f813c21b7b78e1f6e071e7c9885b353b30e7292cd5a9067ddafdbcb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
95cd69d2cc5ffc346f8b436b8a3d4f79

SHA1
9134f28e1cd7c4d3cc4e1e3188c2ffb855e9787e

SHA256
b2e30bffdd1ccb3df1d3e00fd50376895714a48e524ef86702c07714f58678cc

SHA512
3532a73a027d899e3c4e5b00ddb64a06b12343cccc41448e73752a500b8ff3dade8a310c2df95b0cc75f286a3e8b2f0aaaf397bfb5d1f8229b18bb9c0024220f

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
95cd69d2cc5ffc346f8b436b8a3d4f79

SHA1
9134f28e1cd7c4d3cc4e1e3188c2ffb855e9787e

SHA256
b2e30bffdd1ccb3df1d3e00fd50376895714a48e524ef86702c07714f58678cc

SHA512
3532a73a027d899e3c4e5b00ddb64a06b12343cccc41448e73752a500b8ff3dade8a310c2df95b0cc75f286a3e8b2f0aaaf397bfb5d1f8229b18bb9c0024220f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
d915ad7cf7f689c2872976ffcc4839fe

SHA1
606c2044014a80bbf605c994eae0e549eedef10f

SHA256
19feb20ddf6a36849a4c906c9da8686c0dca5641e8c963b72688fca36289262c

SHA512
38d307d0a6e1c17ba23a5ba9f9f7a70b030fee8a1c0e1e10f7df70dc435c4586b2e4759d85d31d290e5d9f95be12dbb2305770122bedce39e3b6788e5d78737f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
d915ad7cf7f689c2872976ffcc4839fe

SHA1
606c2044014a80bbf605c994eae0e549eedef10f

SHA256
19feb20ddf6a36849a4c906c9da8686c0dca5641e8c963b72688fca36289262c

SHA512
38d307d0a6e1c17ba23a5ba9f9f7a70b030fee8a1c0e1e10f7df70dc435c4586b2e4759d85d31d290e5d9f95be12dbb2305770122bedce39e3b6788e5d78737f

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
95cd69d2cc5ffc346f8b436b8a3d4f79

SHA1
9134f28e1cd7c4d3cc4e1e3188c2ffb855e9787e

SHA256
b2e30bffdd1ccb3df1d3e00fd50376895714a48e524ef86702c07714f58678cc

SHA512
3532a73a027d899e3c4e5b00ddb64a06b12343cccc41448e73752a500b8ff3dade8a310c2df95b0cc75f286a3e8b2f0aaaf397bfb5d1f8229b18bb9c0024220f

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
95cd69d2cc5ffc346f8b436b8a3d4f79

SHA1
9134f28e1cd7c4d3cc4e1e3188c2ffb855e9787e

SHA256
b2e30bffdd1ccb3df1d3e00fd50376895714a48e524ef86702c07714f58678cc

SHA512
3532a73a027d899e3c4e5b00ddb64a06b12343cccc41448e73752a500b8ff3dade8a310c2df95b0cc75f286a3e8b2f0aaaf397bfb5d1f8229b18bb9c0024220f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
d349b415676b27a428f51a363ca9f90f

SHA1
04fef78542edc14965728e68e10d24cda287dcf9

SHA256
8d24f709dd1d7a041c8ac226c17b618d6b3188e14cc86e2288d1b3d9c5194bde

SHA512
76047466d9e03c86191682806f5cba9688d666ec3a7fd33652004d53e0ec9fed3b7b7c97a066a18f49725ed1fb6a43cfd995e44139e7e0c06c54b9f21ee3b63b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
d349b415676b27a428f51a363ca9f90f

SHA1
04fef78542edc14965728e68e10d24cda287dcf9

SHA256
8d24f709dd1d7a041c8ac226c17b618d6b3188e14cc86e2288d1b3d9c5194bde

SHA512
76047466d9e03c86191682806f5cba9688d666ec3a7fd33652004d53e0ec9fed3b7b7c97a066a18f49725ed1fb6a43cfd995e44139e7e0c06c54b9f21ee3b63b

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
a71804bfdfbcc9606992a0ba47aaed4d

SHA1
e1283a191b9fea235430d931a163d03e35900db8

SHA256
4799a5f229523bd7acf1466b24611c7592ad4d9919e75cec2001379e52e15766

SHA512
ba87fd995693373faed9f8c3c2bb71787e94e715e47222d8e0f183bc70b311743dd3e10c181df8ab357637b200d24a7988196212bde28dc74b2a1b5bcb8ace2c

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
a71804bfdfbcc9606992a0ba47aaed4d

SHA1
e1283a191b9fea235430d931a163d03e35900db8

SHA256
4799a5f229523bd7acf1466b24611c7592ad4d9919e75cec2001379e52e15766

SHA512
ba87fd995693373faed9f8c3c2bb71787e94e715e47222d8e0f183bc70b311743dd3e10c181df8ab357637b200d24a7988196212bde28dc74b2a1b5bcb8ace2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
d349b415676b27a428f51a363ca9f90f

SHA1
04fef78542edc14965728e68e10d24cda287dcf9

SHA256
8d24f709dd1d7a041c8ac226c17b618d6b3188e14cc86e2288d1b3d9c5194bde

SHA512
76047466d9e03c86191682806f5cba9688d666ec3a7fd33652004d53e0ec9fed3b7b7c97a066a18f49725ed1fb6a43cfd995e44139e7e0c06c54b9f21ee3b63b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
d349b415676b27a428f51a363ca9f90f

SHA1
04fef78542edc14965728e68e10d24cda287dcf9

SHA256
8d24f709dd1d7a041c8ac226c17b618d6b3188e14cc86e2288d1b3d9c5194bde

SHA512
76047466d9e03c86191682806f5cba9688d666ec3a7fd33652004d53e0ec9fed3b7b7c97a066a18f49725ed1fb6a43cfd995e44139e7e0c06c54b9f21ee3b63b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
5eafb2def515d66331f115289e409103

SHA1
4e7d007d7e6a9ee346f7e1addaad3afef30bc292

SHA256
ddc5c82075b0b0ee3ff8849566ec6314bf98c5acd39985b3efa31b8e938a3ea1

SHA512
554405f42588f6d8214be167e88de04c843bee503b886101c3b46cda30fc880db976f316070e477d0ef34e131f0f170b3bb39d1ed889eecbd3296feecc3d5790

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
ea6962f875ef2b95f6d938f163d61cf8

SHA1
6ea62c1c09d1187549e7ab653497be92843fdc51

SHA256
7997d721a9d639a71cf7690151f894f610740bc432819db2b00882918b0462fe

SHA512
dc5506e36f6e0c9d15de635513b765b2380abf486802b0ff4f6024534801fdcf316a7142478a15b9d4b9b391afcfae9a407bf22ae3d33dcab996a158bbee4811

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
d4132324d58b35b55598d8a3803c3c0a

SHA1
ff606cd909ff3bf9d5f7e2aa1902dc10f008a54f

SHA256
875aca621a8b53bb9470b4588178bf61e6d8f97d3b19ad849dbcb27c353fcb40

SHA512
6708c891dc888c9752d93ff92608ae262d389e40f3a1408fa18690a48ea6824bf6ae616ac40dd0d76558fabccb0565b6de8ce5a3c7f7108d32bf44b04b3b1557

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
d4132324d58b35b55598d8a3803c3c0a

SHA1
ff606cd909ff3bf9d5f7e2aa1902dc10f008a54f

SHA256
875aca621a8b53bb9470b4588178bf61e6d8f97d3b19ad849dbcb27c353fcb40

SHA512
6708c891dc888c9752d93ff92608ae262d389e40f3a1408fa18690a48ea6824bf6ae616ac40dd0d76558fabccb0565b6de8ce5a3c7f7108d32bf44b04b3b1557

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
d4132324d58b35b55598d8a3803c3c0a

SHA1
ff606cd909ff3bf9d5f7e2aa1902dc10f008a54f

SHA256
875aca621a8b53bb9470b4588178bf61e6d8f97d3b19ad849dbcb27c353fcb40

SHA512
6708c891dc888c9752d93ff92608ae262d389e40f3a1408fa18690a48ea6824bf6ae616ac40dd0d76558fabccb0565b6de8ce5a3c7f7108d32bf44b04b3b1557

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
d4132324d58b35b55598d8a3803c3c0a

SHA1
ff606cd909ff3bf9d5f7e2aa1902dc10f008a54f

SHA256
875aca621a8b53bb9470b4588178bf61e6d8f97d3b19ad849dbcb27c353fcb40

SHA512
6708c891dc888c9752d93ff92608ae262d389e40f3a1408fa18690a48ea6824bf6ae616ac40dd0d76558fabccb0565b6de8ce5a3c7f7108d32bf44b04b3b1557

Download Submit
C:\Program Files\Common Files\update.exe

Filesize
72KB

MD5
d915ad7cf7f689c2872976ffcc4839fe

SHA1
606c2044014a80bbf605c994eae0e549eedef10f

SHA256
19feb20ddf6a36849a4c906c9da8686c0dca5641e8c963b72688fca36289262c

SHA512
38d307d0a6e1c17ba23a5ba9f9f7a70b030fee8a1c0e1e10f7df70dc435c4586b2e4759d85d31d290e5d9f95be12dbb2305770122bedce39e3b6788e5d78737f

Download Submit
C:\Program Files\Common Files\update.exe

Filesize
72KB

MD5
d915ad7cf7f689c2872976ffcc4839fe

SHA1
606c2044014a80bbf605c994eae0e549eedef10f

SHA256
19feb20ddf6a36849a4c906c9da8686c0dca5641e8c963b72688fca36289262c

SHA512
38d307d0a6e1c17ba23a5ba9f9f7a70b030fee8a1c0e1e10f7df70dc435c4586b2e4759d85d31d290e5d9f95be12dbb2305770122bedce39e3b6788e5d78737f

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ab11b9b710892c04a022231132ff6915

SHA1
2e06431c49bc422a0a389ae2236b8773d172ef07

SHA256
9f3645e9e10dc5052f86f77b6f8d7f65fffa1636a100e8f6004ae2e0361ddc16

SHA512
dc044ad894e8ca5a4ace5019ca9aa25c845445e46d4aa2f5479b7aa9222992997711b5280f813c21b7b78e1f6e071e7c9885b353b30e7292cd5a9067ddafdbcb

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
ab11b9b710892c04a022231132ff6915

SHA1
2e06431c49bc422a0a389ae2236b8773d172ef07

SHA256
9f3645e9e10dc5052f86f77b6f8d7f65fffa1636a100e8f6004ae2e0361ddc16

SHA512
dc044ad894e8ca5a4ace5019ca9aa25c845445e46d4aa2f5479b7aa9222992997711b5280f813c21b7b78e1f6e071e7c9885b353b30e7292cd5a9067ddafdbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3964565331\backup.exe

Filesize
72KB

MD5
78c443b64b32e9402b5c369e142b139d

SHA1
72bfbddde3be53a7565cda4c90f1d914f2e2c568

SHA256
38f958227ddfdb1a24aab8b2db53ea5e392723e8983e23f3ddb32617c459b712

SHA512
81def7de9056ee0b65e3dc31e0141d3d1763a4fc90b9110aca84342fe5916a75292cc24ab987f03df5d89f0a254e8df9a267d0210c2a6ffe92f5fa1581929838

Download Submit
C:\Users\Admin\AppData\Local\Temp\3964565331\backup.exe

Filesize
72KB

MD5
78c443b64b32e9402b5c369e142b139d

SHA1
72bfbddde3be53a7565cda4c90f1d914f2e2c568

SHA256
38f958227ddfdb1a24aab8b2db53ea5e392723e8983e23f3ddb32617c459b712

SHA512
81def7de9056ee0b65e3dc31e0141d3d1763a4fc90b9110aca84342fe5916a75292cc24ab987f03df5d89f0a254e8df9a267d0210c2a6ffe92f5fa1581929838

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\data.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
3f032171e9bbaf27c9f7527cd77ad88d

SHA1
1e1ece7a7bf5bdef7d421b12dabbdeea2aadd488

SHA256
e6aeda3933893c84e98ce167dd49c63eda1b33eeed15c647c3f31dfcc9bdacad

SHA512
d1d68c94313662ac786d805e51ff57261293a0c6c01f0d235b5a0a0942aca357c071f9d86731dd3d61d82369d79aaa12692d139d056be48d2e3cf464d54e21ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
3f032171e9bbaf27c9f7527cd77ad88d

SHA1
1e1ece7a7bf5bdef7d421b12dabbdeea2aadd488

SHA256
e6aeda3933893c84e98ce167dd49c63eda1b33eeed15c647c3f31dfcc9bdacad

SHA512
d1d68c94313662ac786d805e51ff57261293a0c6c01f0d235b5a0a0942aca357c071f9d86731dd3d61d82369d79aaa12692d139d056be48d2e3cf464d54e21ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
d504312f85e823349b90746b38e550d9

SHA1
72a030e75d54fd796091b775696b8e22e47d6d7a

SHA256
88fcb85f420ec94fdac51b990932e68c043c37440378fbd975807b74491754c7

SHA512
e41d05749664dc2e8ad210076753cffcd11eb9936cf65769ebc7097e5df393c8c79e5c4832dcc74a64c23f1db92a873b70955561075d204cdd54469ab8949566

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
111b0c8dae85e6759220cbadabbd74b4

SHA1
648c42f55c50b26d44f7c46884b4be6828c9d860

SHA256
cd4f3613ed935f744a490574f9129af1345de3ff316b8e9d4560ac784a522e7f

SHA512
6dd5357dbd68ab4acc0329cf7b002e7058f709326974f978b94006d62c184b3aaae87558e6fd0bfc7d1e8689422a2b40ee5a4391fc7e0c269aab5b63b8e90745

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
111b0c8dae85e6759220cbadabbd74b4

SHA1
648c42f55c50b26d44f7c46884b4be6828c9d860

SHA256
cd4f3613ed935f744a490574f9129af1345de3ff316b8e9d4560ac784a522e7f

SHA512
6dd5357dbd68ab4acc0329cf7b002e7058f709326974f978b94006d62c184b3aaae87558e6fd0bfc7d1e8689422a2b40ee5a4391fc7e0c269aab5b63b8e90745

Download Submit
C:\backup.exe

Filesize
72KB

MD5
39e718ab7409ae4bf6aa8072519f110e

SHA1
d1d31d1337f9c53a15b746a9fc14d5ebd54da49b

SHA256
a49b8335f9ecfd282592d74da1d5fe5c0541cb8ecc3fdbc999bda2e169de987f

SHA512
6456344d330fb7cfa170da3d3ae8c04d7da5094c1de127b6dc330da50f8f6a0e2b181fd1fdb9e0c96406806a4f0d053b610064f91b15198a96923ac171c585a6

Download Submit
C:\backup.exe

Filesize
72KB

MD5
39e718ab7409ae4bf6aa8072519f110e

SHA1
d1d31d1337f9c53a15b746a9fc14d5ebd54da49b

SHA256
a49b8335f9ecfd282592d74da1d5fe5c0541cb8ecc3fdbc999bda2e169de987f

SHA512
6456344d330fb7cfa170da3d3ae8c04d7da5094c1de127b6dc330da50f8f6a0e2b181fd1fdb9e0c96406806a4f0d053b610064f91b15198a96923ac171c585a6

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
ab11b9b710892c04a022231132ff6915

SHA1
2e06431c49bc422a0a389ae2236b8773d172ef07

SHA256
9f3645e9e10dc5052f86f77b6f8d7f65fffa1636a100e8f6004ae2e0361ddc16

SHA512
dc044ad894e8ca5a4ace5019ca9aa25c845445e46d4aa2f5479b7aa9222992997711b5280f813c21b7b78e1f6e071e7c9885b353b30e7292cd5a9067ddafdbcb

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
ab11b9b710892c04a022231132ff6915

SHA1
2e06431c49bc422a0a389ae2236b8773d172ef07

SHA256
9f3645e9e10dc5052f86f77b6f8d7f65fffa1636a100e8f6004ae2e0361ddc16

SHA512
dc044ad894e8ca5a4ace5019ca9aa25c845445e46d4aa2f5479b7aa9222992997711b5280f813c21b7b78e1f6e071e7c9885b353b30e7292cd5a9067ddafdbcb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads