f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7

Analysis

max time kernel
155s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe
Size

72KB
MD5

a79e1c9d00a323fc6b344e69e83cb864
SHA1

171b16a6349572ca6dfcd7099bd19b2e7ed464d6
SHA256

f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7
SHA512

0c268daeade4b6694ceaeda9fcb37574887fe02465b2a298c53ac30a7ba91272cd3521a5df877aea1f938d4977c6f3c0a8dcb0b182d8c1344ed29b90a8c00751
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGx:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrE

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exef3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

update.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
4172	update.exe
5104	backup.exe
1020	backup.exe
5068	backup.exe
4328	backup.exe
2124	backup.exe
2192	backup.exe
3980	backup.exe
4664	backup.exe
1716	backup.exe
2136	backup.exe
3748	backup.exe
4320	backup.exe
4376	backup.exe
3600	backup.exe
884	backup.exe
3924	backup.exe
2848	backup.exe
4652	backup.exe
4244	backup.exe
1520	backup.exe
3812	backup.exe
2028	backup.exe
1976	backup.exe
4812	backup.exe
4252	backup.exe
2816	backup.exe
4796	backup.exe
728	data.exe
1488	backup.exe
1464	backup.exe
2040	backup.exe
4844	backup.exe
2160	backup.exe
4136	backup.exe
1208	backup.exe
4980	backup.exe
3524	backup.exe
4488	backup.exe
2388	backup.exe
1592	backup.exe
4720	backup.exe
1508	backup.exe
2000	backup.exe
5104	backup.exe
2164	backup.exe
5068	backup.exe
2884	backup.exe
1732	backup.exe
4408	backup.exe
4384	backup.exe
2004	backup.exe
4524	backup.exe
4576	backup.exe
1544	backup.exe
1532	backup.exe
1576	backup.exe
3624	backup.exe
3916	update.exe
4892	backup.exe
1408	backup.exe
1972	backup.exe
4908	backup.exe
5048	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe

Drops file in Windows directory 13 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	update.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe

pid process

544 f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe
4172	update.exe
5104	backup.exe
1020	backup.exe
5068	backup.exe
4328	backup.exe
2124	backup.exe
2192	backup.exe
3980	backup.exe
4664	backup.exe
1716	backup.exe
2136	backup.exe
3748	backup.exe
4320	backup.exe
4376	backup.exe
3600	backup.exe
884	backup.exe
3924	backup.exe
2848	backup.exe
4652	backup.exe
4244	backup.exe
1520	backup.exe
3812	backup.exe
2028	backup.exe
1976	backup.exe
4812	backup.exe
4252	backup.exe
2816	backup.exe
4796	backup.exe
728	data.exe
1488	backup.exe
1464	backup.exe
2040	backup.exe
2160	backup.exe
1164	backup.exe
4136	backup.exe
1208	backup.exe
4980	backup.exe
3524	backup.exe
4488	backup.exe
2388	backup.exe
1592	backup.exe
4720	backup.exe
1508	backup.exe
2000	backup.exe
5104	backup.exe
2164	backup.exe
5068	backup.exe
2884	backup.exe
1732	backup.exe
4408	backup.exe
2004	backup.exe
4384	backup.exe
4524	backup.exe
4576	backup.exe
1544	backup.exe
3916	update.exe
4892	backup.exe
3624	backup.exe
508	backup.exe
1408	backup.exe
1532	backup.exe
1576	backup.exe
5048	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 544 wrote to memory of 4172	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	update.exe
PID 544 wrote to memory of 4172	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	update.exe
PID 544 wrote to memory of 4172	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	update.exe
PID 544 wrote to memory of 5104	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 5104	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 5104	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 1020	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 1020	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 1020	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 5068	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 5068	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 5068	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 4328	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 4328	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 4328	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 2124	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 2124	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 2124	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 2192	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 2192	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 544 wrote to memory of 2192	544	f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe	backup.exe
PID 4172 wrote to memory of 3980	4172	update.exe	backup.exe
PID 4172 wrote to memory of 3980	4172	update.exe	backup.exe
PID 4172 wrote to memory of 3980	4172	update.exe	backup.exe
PID 3980 wrote to memory of 4664	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 4664	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 4664	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 1716	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 1716	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 1716	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 2136	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 2136	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 2136	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 3748	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 3748	3980	backup.exe	backup.exe
PID 3980 wrote to memory of 3748	3980	backup.exe	backup.exe
PID 2136 wrote to memory of 4320	2136	backup.exe	backup.exe
PID 2136 wrote to memory of 4320	2136	backup.exe	backup.exe
PID 2136 wrote to memory of 4320	2136	backup.exe	backup.exe
PID 3748 wrote to memory of 4376	3748	backup.exe	backup.exe
PID 3748 wrote to memory of 4376	3748	backup.exe	backup.exe
PID 3748 wrote to memory of 4376	3748	backup.exe	backup.exe
PID 4320 wrote to memory of 3600	4320	backup.exe	backup.exe
PID 4320 wrote to memory of 3600	4320	backup.exe	backup.exe
PID 4320 wrote to memory of 3600	4320	backup.exe	backup.exe
PID 4376 wrote to memory of 884	4376	backup.exe	backup.exe
PID 4376 wrote to memory of 884	4376	backup.exe	backup.exe
PID 4376 wrote to memory of 884	4376	backup.exe	backup.exe
PID 2136 wrote to memory of 3924	2136	backup.exe	backup.exe
PID 2136 wrote to memory of 3924	2136	backup.exe	backup.exe
PID 2136 wrote to memory of 3924	2136	backup.exe	backup.exe
PID 884 wrote to memory of 2848	884	backup.exe	backup.exe
PID 884 wrote to memory of 2848	884	backup.exe	backup.exe
PID 884 wrote to memory of 2848	884	backup.exe	backup.exe
PID 3924 wrote to memory of 4652	3924	backup.exe	backup.exe
PID 3924 wrote to memory of 4652	3924	backup.exe	backup.exe
PID 3924 wrote to memory of 4652	3924	backup.exe	backup.exe
PID 3924 wrote to memory of 4244	3924	backup.exe	backup.exe
PID 3924 wrote to memory of 4244	3924	backup.exe	backup.exe
PID 3924 wrote to memory of 4244	3924	backup.exe	backup.exe
PID 884 wrote to memory of 1520	884	backup.exe	backup.exe
PID 884 wrote to memory of 1520	884	backup.exe	backup.exe
PID 884 wrote to memory of 1520	884	backup.exe	backup.exe
PID 4244 wrote to memory of 3812	4244	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe
"C:\Users\Admin\AppData\Local\Temp\f3a78d5ba5003ea7a6054b423efc973ecd694d177b1658d580c46c94f9647ef7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\1384053283\update.exe
C:\Users\Admin\AppData\Local\Temp\1384053283\update.exe C:\Users\Admin\AppData\Local\Temp\1384053283\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4172

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980

C:\odt\backup.exe
C:\odt\backup.exe C:\odt\
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4320

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924

C:\Program Files\Common Files\DESIGNER\backup.exe
"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Program Files\Common Files\microsoft shared\backup.exe
"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244

C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3812

C:\Program Files\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1488

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2040

C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4136

C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4980

C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4488

C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1508

C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1864

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:5000

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
9⤵
PID:3352

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1720

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:956

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
9⤵
- Modifies visibility of file extensions in Explorer
PID:3880

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
9⤵
PID:4672

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
9⤵
- System policy modification
PID:4088

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
9⤵
PID:2152

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
9⤵
- System policy modification
PID:1016

C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
8⤵
PID:1016

C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4868

C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
8⤵
PID:4288

C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
- System policy modification
PID:2176

C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
8⤵
PID:4220

C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
8⤵
- System policy modification
PID:3508

C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
8⤵
PID:4580

C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
8⤵
PID:4068

C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
8⤵
PID:1188

C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
8⤵
PID:632

C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
"C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
7⤵
- Suspicious use of SetWindowsHookEx
PID:508

C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
"C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
8⤵
- System policy modification
PID:3880

C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
- System policy modification
PID:4072

C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4720

C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
"C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
7⤵
PID:3272

C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
"C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
7⤵
PID:1160

C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
8⤵
PID:4488

C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
7⤵
PID:3916

C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
8⤵
- System policy modification
PID:3820

C:\Program Files\Common Files\microsoft shared\VC\backup.exe
"C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
7⤵
- System policy modification
PID:1600

C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
"C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
7⤵
PID:4572

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3624

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:1628

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1228

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
PID:4224

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
PID:4588

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
PID:3024

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- System policy modification
PID:1488

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
- System policy modification
PID:4624

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4284

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:4160

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:4560

C:\Program Files\Common Files\System\fr-FR\backup.exe
"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
- System policy modification
PID:1984

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4648

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4524

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
PID:4908

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
- Drops file in Program Files directory
PID:4796

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Drops file in Program Files directory
PID:3540

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
PID:4832

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:5112

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
PID:3600

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
PID:1908

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4636

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
- Modifies visibility of file extensions in Explorer
PID:4768

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1956

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:4544

C:\Program Files\Internet Explorer\de-DE\update.exe
"C:\Program Files\Internet Explorer\de-DE\update.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
- System policy modification
PID:712

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
PID:312

C:\Program Files\Internet Explorer\es-ES\data.exe
"C:\Program Files\Internet Explorer\es-ES\data.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3772

C:\Program Files\Internet Explorer\fr-FR\update.exe
"C:\Program Files\Internet Explorer\fr-FR\update.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
- Modifies visibility of file extensions in Explorer
PID:3224

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
- System policy modification
PID:3476

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
- System policy modification
PID:2100

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
PID:4360

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:4532

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:3160

C:\Program Files\Java\jdk1.8.0_66\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
6⤵
- Drops file in Program Files directory
PID:332

C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
7⤵
PID:2196

C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
7⤵
- Modifies visibility of file extensions in Explorer
PID:5100

C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
8⤵
PID:528

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4376

C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:728

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
8⤵
- Executes dropped EXE
PID:4844

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
9⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:900

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
9⤵
PID:4412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
10⤵
- Drops file in Program Files directory
PID:4340

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
PID:5088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
9⤵
- System policy modification
PID:1040

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
10⤵
PID:364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
9⤵
PID:688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
8⤵
- Drops file in Program Files directory
PID:3968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
9⤵
PID:1464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
8⤵
PID:2296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
8⤵
PID:3960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
9⤵
PID:2088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
10⤵
PID:4568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
11⤵
- Modifies visibility of file extensions in Explorer
PID:4152

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
8⤵
- System policy modification
PID:3344

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
9⤵
PID:3068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
8⤵
- Modifies visibility of file extensions in Explorer
PID:5100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4144

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
9⤵
- System policy modification
PID:3872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
10⤵
PID:4460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
10⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
- Modifies visibility of file extensions in Explorer
PID:2780

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
PID:1164

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:1720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\update.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
8⤵
PID:1488

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1544

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1972

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
PID:1868

C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\data.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
7⤵
- Drops file in Program Files directory
PID:364

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
8⤵
- System policy modification
PID:2248

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
7⤵
PID:4776

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
8⤵
PID:4072

C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
7⤵
- System policy modification
PID:4092

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
8⤵
PID:4492

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2808

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
10⤵
PID:3136

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\update.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
10⤵
PID:1760

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
11⤵
PID:3584

C:\Program Files (x86)\Common Files\Java\backup.exe
"C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:3472

C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
7⤵
PID:448

C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
6⤵
- Drops file in Program Files directory
PID:4964

C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
7⤵
- System policy modification
PID:1964

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2920

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4224

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\update.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1800

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4016

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
PID:2244

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
PID:4940

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
7⤵
- Drops file in Program Files directory
PID:3956

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1552

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:992

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- System policy modification
PID:5076

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\System Restore.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3856

C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
7⤵
- System policy modification
PID:2296

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:4084

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
PID:2480

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
- Modifies visibility of file extensions in Explorer
PID:3864

C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
8⤵
PID:3508

C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
8⤵
PID:3960

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Program Files (x86)\Google\CrashReports\update.exe
"C:\Program Files (x86)\Google\CrashReports\update.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:4928

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
- System policy modification
PID:3144

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:428

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:4824

C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
7⤵
PID:2520

C:\Program Files (x86)\Google\Update\Download\backup.exe
"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
7⤵
- System policy modification
PID:2512

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
8⤵
PID:4892

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
9⤵
PID:2708

C:\Program Files (x86)\Google\Update\Install\backup.exe
"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
7⤵
- System policy modification
PID:4460

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
- Drops file in Program Files directory
PID:1604

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
- Modifies visibility of file extensions in Explorer
PID:4488

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
6⤵
- System policy modification
PID:2400

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1172

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
6⤵
PID:1984

C:\Program Files (x86)\Internet Explorer\images\backup.exe
"C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
6⤵
PID:4516

C:\Program Files (x86)\Internet Explorer\it-IT\update.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\update.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1320

C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
6⤵
- System policy modification
PID:1536

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
6⤵
PID:4728

C:\Program Files (x86)\Microsoft\backup.exe
"C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
5⤵
- Drops file in Program Files directory
PID:796

C:\Program Files (x86)\Microsoft\Edge\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
6⤵
- Modifies visibility of file extensions in Explorer
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
7⤵
- Modifies visibility of file extensions in Explorer
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
8⤵
- System policy modification
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\System Restore.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
9⤵
PID:2204

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Users\Admin\3D Objects\backup.exe
"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1956

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
PID:2496

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:432

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:3924

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:4248

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:4828

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:116

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:1964

C:\Users\Admin\OneDrive\backup.exe
C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
6⤵
PID:1496

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:5040

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
- System policy modification
PID:5076

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:2260

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
PID:3468

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:208

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
- System policy modification
PID:2112

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
- System policy modification
PID:1212

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Drops file in Windows directory
PID:760

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
PID:3952

C:\Windows\appcompat\backup.exe
C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
5⤵
- Drops file in Windows directory
- System policy modification
PID:1000

C:\Windows\appcompat\appraiser\backup.exe
C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
6⤵
- Drops file in Windows directory
PID:1400

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
7⤵
PID:5092

C:\Windows\appcompat\encapsulation\backup.exe
C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
6⤵
PID:3964

C:\Windows\appcompat\Programs\backup.exe
C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Windows\apppatch\backup.exe
C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
- System policy modification
PID:2796

C:\Windows\apppatch\AppPatch64\backup.exe
C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
6⤵
PID:4816

C:\Windows\apppatch\Custom\update.exe
C:\Windows\apppatch\Custom\update.exe C:\Windows\apppatch\Custom\
6⤵
- Drops file in Windows directory
PID:1576

C:\Windows\apppatch\Custom\Custom64\backup.exe
C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4340

C:\Windows\apppatch\CustomSDB\backup.exe
C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
6⤵
PID:3936

C:\Windows\apppatch\de-DE\backup.exe
C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
6⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
1⤵
PID:2100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
1⤵
PID:4652

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
2⤵
- Drops file in Program Files directory
PID:4336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
1⤵
PID:2188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe
Filesize
72KB

MD5
6d57cb6c2d3d07f6c70ab0f39b6868a7

SHA1
cf6fdd99463b81e027919838cd875af62dcddb8e

SHA256
59d23ccb753e2f84bb97c1db0589f0e9e615b2a6ce48a91cf4592d2b75d7fe43

SHA512
ea6434c6def8a9480762972abb391d146d88353d38e5f673f20abe688599659479be33e5148713d679b0e82443952af2562f8909bf9f77ddb8b959e23df0125c

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
6d57cb6c2d3d07f6c70ab0f39b6868a7

SHA1
cf6fdd99463b81e027919838cd875af62dcddb8e

SHA256
59d23ccb753e2f84bb97c1db0589f0e9e615b2a6ce48a91cf4592d2b75d7fe43

SHA512
ea6434c6def8a9480762972abb391d146d88353d38e5f673f20abe688599659479be33e5148713d679b0e82443952af2562f8909bf9f77ddb8b959e23df0125c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
Filesize
72KB

MD5
60eb7ed6983bc5e22bcf40342e01b607

SHA1
7355cea2fd935d4f1e13afb3a6131a8da698f3b5

SHA256
92e15edec7cbf3379c43e271e09ec67cf475d7a9bf8a3ed39fd280097a67b385

SHA512
952981149c7d3bba5e76bc9bc919df9eb13bc9e98e11ed071be4d4d95866e227f040478f8470343618fabf430ad1740955fb53552a66b8a53ae8869a9e437c4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
Filesize
72KB

MD5
60eb7ed6983bc5e22bcf40342e01b607

SHA1
7355cea2fd935d4f1e13afb3a6131a8da698f3b5

SHA256
92e15edec7cbf3379c43e271e09ec67cf475d7a9bf8a3ed39fd280097a67b385

SHA512
952981149c7d3bba5e76bc9bc919df9eb13bc9e98e11ed071be4d4d95866e227f040478f8470343618fabf430ad1740955fb53552a66b8a53ae8869a9e437c4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
Filesize
72KB

MD5
663da0d8ceef014cdee26bf3f82a23b3

SHA1
428c452213f2cbb2322cdab4ae83a033643b3188

SHA256
5e1aba1ce2a8cbbaf8e152dec2795a285d93791a9b262fd11dd9a320997bfa7c

SHA512
305f8ebe49057c7bb874cf72a058f1965eeacf1ca024a379fc5807dbed82560ec6bb7eb70c05d953b97491864d7502582766a9fe32d619bde5d606eb7be21d99

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
Filesize
72KB

MD5
663da0d8ceef014cdee26bf3f82a23b3

SHA1
428c452213f2cbb2322cdab4ae83a033643b3188

SHA256
5e1aba1ce2a8cbbaf8e152dec2795a285d93791a9b262fd11dd9a320997bfa7c

SHA512
305f8ebe49057c7bb874cf72a058f1965eeacf1ca024a379fc5807dbed82560ec6bb7eb70c05d953b97491864d7502582766a9fe32d619bde5d606eb7be21d99

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
Filesize
72KB

MD5
0d68c58af72641ec2546f6a46a22cde7

SHA1
96559a4ee3f40003a1f454766045ce56a55844af

SHA256
2de6dbd76f383e95cc97b9f2b5f399d599f6b8c68c2b0ad7a6dd2ae3547333e4

SHA512
b2ebc30dccfb1b412d27a4fa77cc9679a5b1f9b9e975c07dbd1f60e63c686bd5da15752d463dc9d0fddab8001e5f2258fabcfcf8f896921fd442a7bdc09ef20a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
Filesize
72KB

MD5
0d68c58af72641ec2546f6a46a22cde7

SHA1
96559a4ee3f40003a1f454766045ce56a55844af

SHA256
2de6dbd76f383e95cc97b9f2b5f399d599f6b8c68c2b0ad7a6dd2ae3547333e4

SHA512
b2ebc30dccfb1b412d27a4fa77cc9679a5b1f9b9e975c07dbd1f60e63c686bd5da15752d463dc9d0fddab8001e5f2258fabcfcf8f896921fd442a7bdc09ef20a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
Filesize
72KB

MD5
cd7adf3227ee189bbb2fd6c9a529af35

SHA1
a6bfec8d0e7dbfa0636191c35f822b548916495d

SHA256
454417ba25890f16d784af991127532a683b51aae50e73bf0677113f28abb68b

SHA512
e5549c85a170f956f482264ac0c5cc4180bfed5ced1bdcf24c689f024984c91137b64c00a858e0f5ead4d3029fd5fbb9b9b1e43e3682724a81b02d89aba7a078

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
Filesize
72KB

MD5
cd7adf3227ee189bbb2fd6c9a529af35

SHA1
a6bfec8d0e7dbfa0636191c35f822b548916495d

SHA256
454417ba25890f16d784af991127532a683b51aae50e73bf0677113f28abb68b

SHA512
e5549c85a170f956f482264ac0c5cc4180bfed5ced1bdcf24c689f024984c91137b64c00a858e0f5ead4d3029fd5fbb9b9b1e43e3682724a81b02d89aba7a078

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
Filesize
72KB

MD5
ef0436e42f09dddd8e62ba2c017eb022

SHA1
af5b97aff4e576347c7b79a765ca8a1ad4d73ed9

SHA256
5d69e48187e99d2934e54fba6a254f86879d65d41eaafdd1677b1c917461a36a

SHA512
8d79f6f221f0c300e201e9fb7f27ce562c0a84365a46c27e148a0fc09a50842826293bd0ca7abeb58428a85b19fcdb6c4cb7dab1024b5b39516be1c9ae9641e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
Filesize
72KB

MD5
ef0436e42f09dddd8e62ba2c017eb022

SHA1
af5b97aff4e576347c7b79a765ca8a1ad4d73ed9

SHA256
5d69e48187e99d2934e54fba6a254f86879d65d41eaafdd1677b1c917461a36a

SHA512
8d79f6f221f0c300e201e9fb7f27ce562c0a84365a46c27e148a0fc09a50842826293bd0ca7abeb58428a85b19fcdb6c4cb7dab1024b5b39516be1c9ae9641e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
Filesize
72KB

MD5
f5e744ca8f6f78917f3ef3fb33ea31a1

SHA1
5386b2c8a339156d855d75cba801263035d52684

SHA256
89050c1450f1d3075a6939ab7c124fe9fba2808d4049680b22aabf86494c77a1

SHA512
6f8b50afe8162b34f2b28232a9956f3e488e4f7b244b0a3e352879b6db9e5b989453b8f3b7fb5bf4f73a076a13f8d28380eda8f6bb919c669c90851528085495

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
Filesize
72KB

MD5
f5e744ca8f6f78917f3ef3fb33ea31a1

SHA1
5386b2c8a339156d855d75cba801263035d52684

SHA256
89050c1450f1d3075a6939ab7c124fe9fba2808d4049680b22aabf86494c77a1

SHA512
6f8b50afe8162b34f2b28232a9956f3e488e4f7b244b0a3e352879b6db9e5b989453b8f3b7fb5bf4f73a076a13f8d28380eda8f6bb919c669c90851528085495

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe
Filesize
72KB

MD5
ef0436e42f09dddd8e62ba2c017eb022

SHA1
af5b97aff4e576347c7b79a765ca8a1ad4d73ed9

SHA256
5d69e48187e99d2934e54fba6a254f86879d65d41eaafdd1677b1c917461a36a

SHA512
8d79f6f221f0c300e201e9fb7f27ce562c0a84365a46c27e148a0fc09a50842826293bd0ca7abeb58428a85b19fcdb6c4cb7dab1024b5b39516be1c9ae9641e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe
Filesize
72KB

MD5
ef0436e42f09dddd8e62ba2c017eb022

SHA1
af5b97aff4e576347c7b79a765ca8a1ad4d73ed9

SHA256
5d69e48187e99d2934e54fba6a254f86879d65d41eaafdd1677b1c917461a36a

SHA512
8d79f6f221f0c300e201e9fb7f27ce562c0a84365a46c27e148a0fc09a50842826293bd0ca7abeb58428a85b19fcdb6c4cb7dab1024b5b39516be1c9ae9641e3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
Filesize
72KB

MD5
60eb7ed6983bc5e22bcf40342e01b607

SHA1
7355cea2fd935d4f1e13afb3a6131a8da698f3b5

SHA256
92e15edec7cbf3379c43e271e09ec67cf475d7a9bf8a3ed39fd280097a67b385

SHA512
952981149c7d3bba5e76bc9bc919df9eb13bc9e98e11ed071be4d4d95866e227f040478f8470343618fabf430ad1740955fb53552a66b8a53ae8869a9e437c4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
Filesize
72KB

MD5
60eb7ed6983bc5e22bcf40342e01b607

SHA1
7355cea2fd935d4f1e13afb3a6131a8da698f3b5

SHA256
92e15edec7cbf3379c43e271e09ec67cf475d7a9bf8a3ed39fd280097a67b385

SHA512
952981149c7d3bba5e76bc9bc919df9eb13bc9e98e11ed071be4d4d95866e227f040478f8470343618fabf430ad1740955fb53552a66b8a53ae8869a9e437c4e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
Filesize
72KB

MD5
df6a8d0de6c484a53ba0485be9842bed

SHA1
b454fb6c470d8c552a074db198ed9748833b3035

SHA256
d4327dde2f02f06fa143e411566211d2641eff1112ca1d0c6eef0545e26f0869

SHA512
247467967dccdee7723679fbd05537ebf0d7de1d256009d60f6e0039971fe7c029a2e3af87d764754b9e106007c20c95f54f843b073d1fbe7d796a7721cb2d4d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
Filesize
72KB

MD5
df6a8d0de6c484a53ba0485be9842bed

SHA1
b454fb6c470d8c552a074db198ed9748833b3035

SHA256
d4327dde2f02f06fa143e411566211d2641eff1112ca1d0c6eef0545e26f0869

SHA512
247467967dccdee7723679fbd05537ebf0d7de1d256009d60f6e0039971fe7c029a2e3af87d764754b9e106007c20c95f54f843b073d1fbe7d796a7721cb2d4d

Download Submit
C:\Program Files (x86)\Adobe\backup.exe
Filesize
72KB

MD5
9fe6d8d9b2498c2a06050e4122a264d8

SHA1
f54cc5b297b9885860e0d26798919c96105a2f90

SHA256
8a9703b89574e2b7a0b1af25dbb1176b74a5af7f3cdb22853fb3f8e2556b1afe

SHA512
f06a8893b75ab716c016a6f28e0fc362b26e0212179f425946d31c7842e82246eb6704e5413df7d69cbf7bae8f3942604a8a2ab34f38aaee09decdf35bfff3b5

Download Submit
C:\Program Files (x86)\Adobe\backup.exe
Filesize
72KB

MD5
9fe6d8d9b2498c2a06050e4122a264d8

SHA1
f54cc5b297b9885860e0d26798919c96105a2f90

SHA256
8a9703b89574e2b7a0b1af25dbb1176b74a5af7f3cdb22853fb3f8e2556b1afe

SHA512
f06a8893b75ab716c016a6f28e0fc362b26e0212179f425946d31c7842e82246eb6704e5413df7d69cbf7bae8f3942604a8a2ab34f38aaee09decdf35bfff3b5

Download Submit
C:\Program Files (x86)\backup.exe
Filesize
72KB

MD5
a42c0fb5e532921d342dac2371305caa

SHA1
b7e9da145a0ea0eb13f924d968c5765bd3ffc6b5

SHA256
bf89c42102c66222803628ff254513d037bc91a5618250abb609794de70da907

SHA512
3848548aec973bb3120e59ae695fb0b98b303b7b0ecdb6a074da57d68a327702cea606ca9b89da86e7affce0bc40e8cfc06511d8114a7533a0eddc3721354b42

Download Submit
C:\Program Files (x86)\backup.exe
Filesize
72KB

MD5
a42c0fb5e532921d342dac2371305caa

SHA1
b7e9da145a0ea0eb13f924d968c5765bd3ffc6b5

SHA256
bf89c42102c66222803628ff254513d037bc91a5618250abb609794de70da907

SHA512
3848548aec973bb3120e59ae695fb0b98b303b7b0ecdb6a074da57d68a327702cea606ca9b89da86e7affce0bc40e8cfc06511d8114a7533a0eddc3721354b42

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
6f769a1ce08f2395ed0b50cfec448081

SHA1
4ba53576dfdd95f8e7109faa294a154fc40e0448

SHA256
1257ec60733bc6099bf7b1a7a45c9cebb897b81de433c71a1407279c6bba5387

SHA512
76c2b6f09bbe8b8cb40e62d89b2a3427febb9ae143382be1ddcf1b93cbc9504c062a0fb5210ecff2b4d32d418fc7ea0897f918f9ea7bcd89e14b2c27afc2e9d1

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
6f769a1ce08f2395ed0b50cfec448081

SHA1
4ba53576dfdd95f8e7109faa294a154fc40e0448

SHA256
1257ec60733bc6099bf7b1a7a45c9cebb897b81de433c71a1407279c6bba5387

SHA512
76c2b6f09bbe8b8cb40e62d89b2a3427febb9ae143382be1ddcf1b93cbc9504c062a0fb5210ecff2b4d32d418fc7ea0897f918f9ea7bcd89e14b2c27afc2e9d1

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
44184122d7d1a55b9b9b8fbc22c7cfcb

SHA1
c501e5532f94b9ebba4f4a774edc72049d69dabb

SHA256
78952138e578a1d8fc1031c585043172240d53ce140fccfc289f6ce507a818b5

SHA512
61a9e36e049307b8476610a134c2ba2b3dc0cca510ce7b5caed94f55a4230adfed92f6d61ad3cf625a7c48ebce345f16ac8a69ad2d5e4adf6032e5351ac61dd2

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
44184122d7d1a55b9b9b8fbc22c7cfcb

SHA1
c501e5532f94b9ebba4f4a774edc72049d69dabb

SHA256
78952138e578a1d8fc1031c585043172240d53ce140fccfc289f6ce507a818b5

SHA512
61a9e36e049307b8476610a134c2ba2b3dc0cca510ce7b5caed94f55a4230adfed92f6d61ad3cf625a7c48ebce345f16ac8a69ad2d5e4adf6032e5351ac61dd2

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe
Filesize
72KB

MD5
9ea7cba2026d53afac49a2bc9e91679f

SHA1
c29891d2540ce60b634307b3057ae0f6a28ac97d

SHA256
26ce55810ded93212700f88e8ff55ba0cc4c47f4060874d06ea638141f6b4435

SHA512
8d50d190ae922c68b4ea471385b60cdbfb51c8e4a998b58d5897628ab777494d36f8770e6df21e5317c368270a13c73523cfc2b27a15d19412acf1bd1a9613c0

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe
Filesize
72KB

MD5
9ea7cba2026d53afac49a2bc9e91679f

SHA1
c29891d2540ce60b634307b3057ae0f6a28ac97d

SHA256
26ce55810ded93212700f88e8ff55ba0cc4c47f4060874d06ea638141f6b4435

SHA512
8d50d190ae922c68b4ea471385b60cdbfb51c8e4a998b58d5897628ab777494d36f8770e6df21e5317c368270a13c73523cfc2b27a15d19412acf1bd1a9613c0

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
a6a33bbcfd3fdf0dcfd7b15dded5beb0

SHA1
7576f3aa91009c8307d661cc4d49410a6a1f221a

SHA256
1b32185e58d8c371fd5f6d518a24da64c8a9068bc472ba54dfca0074df53694d

SHA512
244f8039cc192d73955f1e9f2f023edf2edd055a1b8675c7d638cd01586bd2cf990bcc108ae9abdb258539769c7c58945234ce59ee8410d7f276e8cb53711157

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
a6a33bbcfd3fdf0dcfd7b15dded5beb0

SHA1
7576f3aa91009c8307d661cc4d49410a6a1f221a

SHA256
1b32185e58d8c371fd5f6d518a24da64c8a9068bc472ba54dfca0074df53694d

SHA512
244f8039cc192d73955f1e9f2f023edf2edd055a1b8675c7d638cd01586bd2cf990bcc108ae9abdb258539769c7c58945234ce59ee8410d7f276e8cb53711157

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
Filesize
72KB

MD5
4abce3519530961b3efabac9669372e7

SHA1
0da61447ff59cdbb286b32a5354b7da5e37b4291

SHA256
0c79f983c610e2e4ecd7f372a307eeadef5b6dc2aa9aa9f2790b1e0512aeb5c8

SHA512
58bc5406629dc9360fd58f7c54dbea748b9a66f37f49242b445db53fdb739bf4bc850613df6884ac4fc9b30b0ec316f617043d668ce05fe09c680315d87fb629

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
Filesize
72KB

MD5
4abce3519530961b3efabac9669372e7

SHA1
0da61447ff59cdbb286b32a5354b7da5e37b4291

SHA256
0c79f983c610e2e4ecd7f372a307eeadef5b6dc2aa9aa9f2790b1e0512aeb5c8

SHA512
58bc5406629dc9360fd58f7c54dbea748b9a66f37f49242b445db53fdb739bf4bc850613df6884ac4fc9b30b0ec316f617043d668ce05fe09c680315d87fb629

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe
Filesize
72KB

MD5
9ea7cba2026d53afac49a2bc9e91679f

SHA1
c29891d2540ce60b634307b3057ae0f6a28ac97d

SHA256
26ce55810ded93212700f88e8ff55ba0cc4c47f4060874d06ea638141f6b4435

SHA512
8d50d190ae922c68b4ea471385b60cdbfb51c8e4a998b58d5897628ab777494d36f8770e6df21e5317c368270a13c73523cfc2b27a15d19412acf1bd1a9613c0

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe
Filesize
72KB

MD5
9ea7cba2026d53afac49a2bc9e91679f

SHA1
c29891d2540ce60b634307b3057ae0f6a28ac97d

SHA256
26ce55810ded93212700f88e8ff55ba0cc4c47f4060874d06ea638141f6b4435

SHA512
8d50d190ae922c68b4ea471385b60cdbfb51c8e4a998b58d5897628ab777494d36f8770e6df21e5317c368270a13c73523cfc2b27a15d19412acf1bd1a9613c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
4b88abef0e11e8ffa0d33122bc90cf91

SHA1
ec1e742c8809e4a00069976efa005f3c52e95df9

SHA256
944177df5bbfe49793b14471f63af7877b67631201dba490cdc1e6cfd0811e58

SHA512
5ad3a46bce38ee6da7f812a264d1ea6c038eee986fe5cf67400972ab6b81d9a747b1739890af691e83fb5cbad97034df1bc9e2957ecf72a080eae7b74139c83b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
4b88abef0e11e8ffa0d33122bc90cf91

SHA1
ec1e742c8809e4a00069976efa005f3c52e95df9

SHA256
944177df5bbfe49793b14471f63af7877b67631201dba490cdc1e6cfd0811e58

SHA512
5ad3a46bce38ee6da7f812a264d1ea6c038eee986fe5cf67400972ab6b81d9a747b1739890af691e83fb5cbad97034df1bc9e2957ecf72a080eae7b74139c83b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe
Filesize
72KB

MD5
1980fb27cbaa0dd54d6ed6cc7ce7527a

SHA1
55eb2d0a07acbe711ceb7077f6e4bc33c13cc449

SHA256
6659d4b99263ccfa201ebda09118e3f81c1a699be82bea3457a763e8051132f5

SHA512
3e36c3fcc90ce286f365b7a55898724d87e82bbc7b16ee154d066e938b0d3eb17b0560b48f03dbabc463e1c982da761902ee252ec7e09a63a0b6c5f335014a59

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe
Filesize
72KB

MD5
1980fb27cbaa0dd54d6ed6cc7ce7527a

SHA1
55eb2d0a07acbe711ceb7077f6e4bc33c13cc449

SHA256
6659d4b99263ccfa201ebda09118e3f81c1a699be82bea3457a763e8051132f5

SHA512
3e36c3fcc90ce286f365b7a55898724d87e82bbc7b16ee154d066e938b0d3eb17b0560b48f03dbabc463e1c982da761902ee252ec7e09a63a0b6c5f335014a59

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
a22fda3f9d536fdf633ad177f4a976fb

SHA1
8312eab365b0c26f17d5c6c5827b149afc836281

SHA256
a79c7ab65d830b711cd88ceb12ff987cf3847bf89f05ae5a9b5a2921f3deae53

SHA512
0243d316cdd0bd1b3fd36149d1e7dcc21ea441f6b5e6b895f8a594ee31dfc8d7d2b83039dabec49fbcdf257caa2ae04ac2f714bf7567e906160093781bbd0dec

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
a22fda3f9d536fdf633ad177f4a976fb

SHA1
8312eab365b0c26f17d5c6c5827b149afc836281

SHA256
a79c7ab65d830b711cd88ceb12ff987cf3847bf89f05ae5a9b5a2921f3deae53

SHA512
0243d316cdd0bd1b3fd36149d1e7dcc21ea441f6b5e6b895f8a594ee31dfc8d7d2b83039dabec49fbcdf257caa2ae04ac2f714bf7567e906160093781bbd0dec

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
a22fda3f9d536fdf633ad177f4a976fb

SHA1
8312eab365b0c26f17d5c6c5827b149afc836281

SHA256
a79c7ab65d830b711cd88ceb12ff987cf3847bf89f05ae5a9b5a2921f3deae53

SHA512
0243d316cdd0bd1b3fd36149d1e7dcc21ea441f6b5e6b895f8a594ee31dfc8d7d2b83039dabec49fbcdf257caa2ae04ac2f714bf7567e906160093781bbd0dec

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
a22fda3f9d536fdf633ad177f4a976fb

SHA1
8312eab365b0c26f17d5c6c5827b149afc836281

SHA256
a79c7ab65d830b711cd88ceb12ff987cf3847bf89f05ae5a9b5a2921f3deae53

SHA512
0243d316cdd0bd1b3fd36149d1e7dcc21ea441f6b5e6b895f8a594ee31dfc8d7d2b83039dabec49fbcdf257caa2ae04ac2f714bf7567e906160093781bbd0dec

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
6d57cb6c2d3d07f6c70ab0f39b6868a7

SHA1
cf6fdd99463b81e027919838cd875af62dcddb8e

SHA256
59d23ccb753e2f84bb97c1db0589f0e9e615b2a6ce48a91cf4592d2b75d7fe43

SHA512
ea6434c6def8a9480762972abb391d146d88353d38e5f673f20abe688599659479be33e5148713d679b0e82443952af2562f8909bf9f77ddb8b959e23df0125c

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
6d57cb6c2d3d07f6c70ab0f39b6868a7

SHA1
cf6fdd99463b81e027919838cd875af62dcddb8e

SHA256
59d23ccb753e2f84bb97c1db0589f0e9e615b2a6ce48a91cf4592d2b75d7fe43

SHA512
ea6434c6def8a9480762972abb391d146d88353d38e5f673f20abe688599659479be33e5148713d679b0e82443952af2562f8909bf9f77ddb8b959e23df0125c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1384053283\update.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1384053283\update.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
9719a2c23c517a2f7adc6014f83758bf

SHA1
cef783624d7a44b923941f66e452c16ad2f44291

SHA256
53f6b40a10849eddaabcc936f2e2d41033458eab74eee613843468f3543301a1

SHA512
e8eba79faa4a3239d94beb6678e1ab33c912b1ded80f02c8c07adb7c42459f5541c5684a237dc68b08cc7f39d1e20621a682222cf3580b099288ecf54c975fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
9719a2c23c517a2f7adc6014f83758bf

SHA1
cef783624d7a44b923941f66e452c16ad2f44291

SHA256
53f6b40a10849eddaabcc936f2e2d41033458eab74eee613843468f3543301a1

SHA512
e8eba79faa4a3239d94beb6678e1ab33c912b1ded80f02c8c07adb7c42459f5541c5684a237dc68b08cc7f39d1e20621a682222cf3580b099288ecf54c975fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
e3c27452aa2e7688309a24e69d83f04c

SHA1
677ab0a9a289a68f984318a9850f75a7b6480646

SHA256
cc3ab720d4d2c57f9522467de1be2e20b04e6c0c4b72f3af6442a0d64f1baa0d

SHA512
312f69edd8ed728eb33dbb8321a8e944023a381ccde7d4bd167d6bedd967a462ffbd4839d6c62e259283b6dd9ba85f57b559ee5ceee83d1d6f0ac2b0883e630c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
9719a2c23c517a2f7adc6014f83758bf

SHA1
cef783624d7a44b923941f66e452c16ad2f44291

SHA256
53f6b40a10849eddaabcc936f2e2d41033458eab74eee613843468f3543301a1

SHA512
e8eba79faa4a3239d94beb6678e1ab33c912b1ded80f02c8c07adb7c42459f5541c5684a237dc68b08cc7f39d1e20621a682222cf3580b099288ecf54c975fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
9719a2c23c517a2f7adc6014f83758bf

SHA1
cef783624d7a44b923941f66e452c16ad2f44291

SHA256
53f6b40a10849eddaabcc936f2e2d41033458eab74eee613843468f3543301a1

SHA512
e8eba79faa4a3239d94beb6678e1ab33c912b1ded80f02c8c07adb7c42459f5541c5684a237dc68b08cc7f39d1e20621a682222cf3580b099288ecf54c975fec

Download Submit
C:\backup.exe
Filesize
72KB

MD5
e6ff2a4c091d3fb55f098096fa4959df

SHA1
ec4869f4cc2586db8870a1a274ded524b2abcaa1

SHA256
e7a568fdad6f7a07e4cc40dc074e68ef6a0cf93eafcff0686f50bcf96fc7c8fe

SHA512
e1aec6441de3d6c6bab97c2bf3b5053b4713e0b414e95cf72c6d22a25436f4935a646dfca8a3ecba60839e4d279e69825b5430f69a583fd4c8ae4f62b42c2635

Download Submit
C:\backup.exe
Filesize
72KB

MD5
e6ff2a4c091d3fb55f098096fa4959df

SHA1
ec4869f4cc2586db8870a1a274ded524b2abcaa1

SHA256
e7a568fdad6f7a07e4cc40dc074e68ef6a0cf93eafcff0686f50bcf96fc7c8fe

SHA512
e1aec6441de3d6c6bab97c2bf3b5053b4713e0b414e95cf72c6d22a25436f4935a646dfca8a3ecba60839e4d279e69825b5430f69a583fd4c8ae4f62b42c2635

Download Submit
C:\odt\backup.exe
Filesize
72KB

MD5
f45cdb8a2a3f4f10a44d4af2e683d589

SHA1
89bac0f3528f77aa87f452c2d957cc0242e189e2

SHA256
d7c24602f036539ae2155eab864c01a7b3895c4ac2934a9ec261e4b97a18f65e

SHA512
6af19143f1f8410402c7021b3ccbfd6cf9313be04d103ca43454de0e2bec37a294e651d645d16365ab2a00c2295aef250c9b3267d25c056a87d443e55fce6ae6

Download Submit
C:\odt\backup.exe
Filesize
72KB

MD5
f45cdb8a2a3f4f10a44d4af2e683d589

SHA1
89bac0f3528f77aa87f452c2d957cc0242e189e2

SHA256
d7c24602f036539ae2155eab864c01a7b3895c4ac2934a9ec261e4b97a18f65e

SHA512
6af19143f1f8410402c7021b3ccbfd6cf9313be04d103ca43454de0e2bec37a294e651d645d16365ab2a00c2295aef250c9b3267d25c056a87d443e55fce6ae6

Download Submit
memory/508-370-0x0000000000000000-mapping.dmp

Download
memory/728-274-0x0000000000000000-mapping.dmp

Download
memory/884-209-0x0000000000000000-mapping.dmp

Download
memory/1020-144-0x0000000000000000-mapping.dmp

Download
memory/1208-303-0x0000000000000000-mapping.dmp

Download
memory/1408-368-0x0000000000000000-mapping.dmp

Download
memory/1464-282-0x0000000000000000-mapping.dmp

Download
memory/1488-279-0x0000000000000000-mapping.dmp

Download
memory/1508-324-0x0000000000000000-mapping.dmp

Download
memory/1520-234-0x0000000000000000-mapping.dmp

Download
memory/1532-364-0x0000000000000000-mapping.dmp

Download
memory/1544-352-0x0000000000000000-mapping.dmp

Download
memory/1576-363-0x0000000000000000-mapping.dmp

Download
memory/1592-318-0x0000000000000000-mapping.dmp

Download
memory/1716-179-0x0000000000000000-mapping.dmp

Download
memory/1732-340-0x0000000000000000-mapping.dmp

Download
memory/1972-369-0x0000000000000000-mapping.dmp

Download
memory/1976-249-0x0000000000000000-mapping.dmp

Download
memory/2000-327-0x0000000000000000-mapping.dmp

Download
memory/2004-350-0x0000000000000000-mapping.dmp

Download
memory/2028-242-0x0000000000000000-mapping.dmp

Download
memory/2040-289-0x0000000000000000-mapping.dmp

Download
memory/2124-159-0x0000000000000000-mapping.dmp

Download
memory/2136-184-0x0000000000000000-mapping.dmp

Download
memory/2160-295-0x0000000000000000-mapping.dmp

Download
memory/2164-333-0x0000000000000000-mapping.dmp

Download
memory/2192-164-0x0000000000000000-mapping.dmp

Download
memory/2388-314-0x0000000000000000-mapping.dmp

Download
memory/2816-264-0x0000000000000000-mapping.dmp

Download
memory/2848-219-0x0000000000000000-mapping.dmp

Download
memory/2884-339-0x0000000000000000-mapping.dmp

Download
memory/3524-307-0x0000000000000000-mapping.dmp

Download
memory/3600-200-0x0000000000000000-mapping.dmp

Download
memory/3624-365-0x0000000000000000-mapping.dmp

Download
memory/3748-189-0x0000000000000000-mapping.dmp

Download
memory/3812-239-0x0000000000000000-mapping.dmp

Download
memory/3916-366-0x0000000000000000-mapping.dmp

Download
memory/3924-212-0x0000000000000000-mapping.dmp

Download
memory/3980-169-0x0000000000000000-mapping.dmp

Download
memory/4136-300-0x0000000000000000-mapping.dmp

Download
memory/4172-134-0x0000000000000000-mapping.dmp

Download
memory/4244-229-0x0000000000000000-mapping.dmp

Download
memory/4252-257-0x0000000000000000-mapping.dmp

Download
memory/4320-194-0x0000000000000000-mapping.dmp

Download
memory/4328-154-0x0000000000000000-mapping.dmp

Download
memory/4376-199-0x0000000000000000-mapping.dmp

Download
memory/4384-349-0x0000000000000000-mapping.dmp

Download
memory/4408-345-0x0000000000000000-mapping.dmp

Download
memory/4488-312-0x0000000000000000-mapping.dmp

Download
memory/4524-351-0x0000000000000000-mapping.dmp

Download
memory/4576-348-0x0000000000000000-mapping.dmp

Download
memory/4652-224-0x0000000000000000-mapping.dmp

Download
memory/4664-174-0x0000000000000000-mapping.dmp

Download
memory/4720-321-0x0000000000000000-mapping.dmp

Download
memory/4796-267-0x0000000000000000-mapping.dmp

Download
memory/4812-254-0x0000000000000000-mapping.dmp

Download
memory/4844-294-0x0000000000000000-mapping.dmp

Download
memory/4892-367-0x0000000000000000-mapping.dmp

Download
memory/4980-306-0x0000000000000000-mapping.dmp

Download
memory/5048-371-0x0000000000000000-mapping.dmp

Download
memory/5068-334-0x0000000000000000-mapping.dmp

Download
memory/5068-149-0x0000000000000000-mapping.dmp

Download
memory/5104-139-0x0000000000000000-mapping.dmp

Download
memory/5104-330-0x0000000000000000-mapping.dmp

Download