3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69

Analysis

max time kernel
167s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe
Size

72KB
MD5

04455d9467ba87cfc36653b3033a02e5
SHA1

91c8683f473571c6431b31f117397a774c3ec7c4
SHA256

3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69
SHA512

add9a89c6f016ed5bd11ce46f36dbfbd62757ab020b62ebffee0cdeee47fb43a1c102cf1a2accdc39de09a1bb2e136dcb0ae417b322636762219dbed29a1c22b
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2N:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP5

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1664	System Restore.exe
1468	backup.exe
3264	backup.exe
4764	backup.exe
4596	System Restore.exe
4888	update.exe
4280	System Restore.exe
5060	backup.exe
3988	backup.exe
4268	System Restore.exe
3480	data.exe
4108	backup.exe
4264	backup.exe
4500	backup.exe
100	data.exe
216	backup.exe
4508	backup.exe
3860	System Restore.exe
3616	backup.exe
3660	backup.exe
4680	backup.exe
4980	backup.exe
1916	backup.exe
1244	backup.exe
1492	backup.exe
3188	backup.exe
4740	backup.exe
3820	backup.exe
1056	backup.exe
752	backup.exe
4552	backup.exe
4448	backup.exe
3868	backup.exe
3236	backup.exe
1984	backup.exe
1616	backup.exe
2380	backup.exe
4668	backup.exe
1540	backup.exe
4692	backup.exe
4536	backup.exe
3152	backup.exe
2204	backup.exe
2032	backup.exe
4964	backup.exe
1364	backup.exe
2784	backup.exe
1140	backup.exe
3592	backup.exe
3456	backup.exe
2164	backup.exe
2524	backup.exe
3720	backup.exe
2900	backup.exe
4820	backup.exe
1004	backup.exe
2244	backup.exe
1088	backup.exe
2044	backup.exe
1844	backup.exe
2008	backup.exe
5000	backup.exe
460	backup.exe
3640	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\System Restore.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe	update.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\it-IT\backup.exe	System Restore.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\System Restore.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	System Restore.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	System Restore.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\en-US\System Restore.exe	System Restore.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	update.exe
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe
1664	System Restore.exe
1468	backup.exe
3264	backup.exe
4764	backup.exe
4596	System Restore.exe
4888	update.exe
4280	System Restore.exe
3988	backup.exe
5060	backup.exe
3480	data.exe
4268	System Restore.exe
4108	backup.exe
4264	backup.exe
4500	backup.exe
100	data.exe
216	backup.exe
3860	System Restore.exe
4508	backup.exe
3660	backup.exe
3616	backup.exe
4680	backup.exe
4980	backup.exe
1916	backup.exe
1244	backup.exe
1492	backup.exe
3188	backup.exe
4740	backup.exe
3820	backup.exe
752	backup.exe
4552	backup.exe
1056	backup.exe
4448	backup.exe
3868	backup.exe
3236	backup.exe
2380	backup.exe
1984	backup.exe
1616	backup.exe
4668	backup.exe
1540	backup.exe
4692	backup.exe
4536	backup.exe
3152	backup.exe
2204	backup.exe
2032	backup.exe
4964	backup.exe
2784	backup.exe
1364	backup.exe
1140	backup.exe
3592	backup.exe
3456	backup.exe
2164	backup.exe
2524	backup.exe
3720	backup.exe
2900	backup.exe
4820	backup.exe
2244	backup.exe
1004	backup.exe
1088	backup.exe
2044	backup.exe
1844	backup.exe
2008	backup.exe
5000	backup.exe
3640	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1664	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	81
PID 3000 wrote to memory of 1664	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	81
PID 3000 wrote to memory of 1664	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	81
PID 3000 wrote to memory of 1468	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	82
PID 3000 wrote to memory of 1468	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	82
PID 3000 wrote to memory of 1468	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	82
PID 3000 wrote to memory of 3264	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	83
PID 3000 wrote to memory of 3264	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	83
PID 3000 wrote to memory of 3264	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	83
PID 1664 wrote to memory of 4764	1664	System Restore.exe	84
PID 1664 wrote to memory of 4764	1664	System Restore.exe	84
PID 1664 wrote to memory of 4764	1664	System Restore.exe	84
PID 3000 wrote to memory of 4596	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	85
PID 3000 wrote to memory of 4596	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	85
PID 3000 wrote to memory of 4596	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	85
PID 4764 wrote to memory of 4888	4764	backup.exe	86
PID 4764 wrote to memory of 4888	4764	backup.exe	86
PID 4764 wrote to memory of 4888	4764	backup.exe	86
PID 3000 wrote to memory of 4280	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	87
PID 3000 wrote to memory of 4280	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	87
PID 3000 wrote to memory of 4280	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	87
PID 4764 wrote to memory of 5060	4764	backup.exe	88
PID 4764 wrote to memory of 5060	4764	backup.exe	88
PID 4764 wrote to memory of 5060	4764	backup.exe	88
PID 3000 wrote to memory of 3988	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	89
PID 3000 wrote to memory of 3988	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	89
PID 3000 wrote to memory of 3988	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	89
PID 4764 wrote to memory of 4268	4764	backup.exe	90
PID 4764 wrote to memory of 4268	4764	backup.exe	90
PID 4764 wrote to memory of 4268	4764	backup.exe	90
PID 3000 wrote to memory of 3480	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	91
PID 3000 wrote to memory of 3480	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	91
PID 3000 wrote to memory of 3480	3000	3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe	91
PID 4268 wrote to memory of 4108	4268	System Restore.exe	92
PID 4268 wrote to memory of 4108	4268	System Restore.exe	92
PID 4268 wrote to memory of 4108	4268	System Restore.exe	92
PID 4764 wrote to memory of 4264	4764	backup.exe	94
PID 4764 wrote to memory of 4264	4764	backup.exe	94
PID 4764 wrote to memory of 4264	4764	backup.exe	94
PID 4108 wrote to memory of 4500	4108	backup.exe	93
PID 4108 wrote to memory of 4500	4108	backup.exe	93
PID 4108 wrote to memory of 4500	4108	backup.exe	93
PID 4264 wrote to memory of 100	4264	backup.exe	96
PID 4264 wrote to memory of 100	4264	backup.exe	96
PID 4264 wrote to memory of 100	4264	backup.exe	96
PID 4268 wrote to memory of 216	4268	System Restore.exe	95
PID 4268 wrote to memory of 216	4268	System Restore.exe	95
PID 4268 wrote to memory of 216	4268	System Restore.exe	95
PID 100 wrote to memory of 3860	100	data.exe	97
PID 100 wrote to memory of 3860	100	data.exe	97
PID 100 wrote to memory of 3860	100	data.exe	97
PID 216 wrote to memory of 4508	216	backup.exe	98
PID 216 wrote to memory of 4508	216	backup.exe	98
PID 216 wrote to memory of 4508	216	backup.exe	98
PID 216 wrote to memory of 3616	216	backup.exe	99
PID 216 wrote to memory of 3616	216	backup.exe	99
PID 216 wrote to memory of 3616	216	backup.exe	99
PID 4264 wrote to memory of 3660	4264	backup.exe	100
PID 4264 wrote to memory of 3660	4264	backup.exe	100
PID 4264 wrote to memory of 3660	4264	backup.exe	100
PID 3860 wrote to memory of 4680	3860	System Restore.exe	101
PID 3860 wrote to memory of 4680	3860	System Restore.exe	101
PID 3860 wrote to memory of 4680	3860	System Restore.exe	101
PID 4268 wrote to memory of 4980	4268	System Restore.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe
"C:\Users\Admin\AppData\Local\Temp\3d12b44cdf6d37ec06e0df79bba3f16ab5c97ab47a6f81e4f4cc4bfac93a4a69.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\2234999677\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\2234999677\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\2234999677\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\odt\update.exe
      C:\odt\update.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4888
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5060
  - - C:\Program Files\System Restore.exe
      "C:\Program Files\System Restore.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4500
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:216
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4508
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3616
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4448
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3236
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4692
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:460
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        
        PID:1276
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        System policy modification
        
        PID:3080
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5036
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        System policy modification
        
        PID:1344
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:4508
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1228
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Drops file in Program Files directory
        
        PID:1116
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:3424
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3620
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:2388
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3648
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:3088
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:1604
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:4244
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2380
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3988
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4376
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1928
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:3988
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4852
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:4980
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:4196
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3232
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:3080
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2164
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:3160
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:2168
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:3360
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1012
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2596
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1972
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3120
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4340
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4840
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3860
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4848
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4892
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:4504
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:4952
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3856
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2068
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2408
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4504
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4436
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1932
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4980
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4964
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4820
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1844
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Disables RegEdit via registry modification
        
        PID:392
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1164
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        System policy modification
        
        PID:4840
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:1796
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Disables RegEdit via registry modification
        
        PID:752
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4312
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3856
      - C:\Program Files\Internet Explorer\en-US\System Restore.exe
        
        "C:\Program Files\Internet Explorer\en-US\System Restore.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2944
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2196
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        System policy modification
        
        PID:1032
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4864
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4844
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:2860
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:960
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:1680
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Drops file in Program Files directory
        
        PID:3968
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\data.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:3992
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:3660
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:2584
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:3816
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Program Files\Java\jdk1.8.0_66\jre\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\update.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:2864
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:1136
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        System policy modification
        
        PID:1796
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:4680
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4960
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:3624
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:5056
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4928
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        
        PID:1228
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:4912
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:1764
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:4952
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        System policy modification
        
        PID:724
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\update.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\update.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:4296
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        System policy modification
        
        PID:4456
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4056
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:3232
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        System policy modification
        
        PID:4164
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:932
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2852
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1256
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4264
    - - C:\Program Files (x86)\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\data.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:100
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:1228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3188
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:3048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:4216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:3664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:1332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:2540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:3032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:3496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4568
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:3548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Drops file in Program Files directory
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:4196
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:2888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:4560
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:2696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:3480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:4216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:3504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Disables RegEdit via registry modification
        
        PID:3388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4204
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3660
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1244
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3820
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5000
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2344
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        Disables RegEdit via registry modification
        
        PID:228
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:4260
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:724
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        Drops file in Program Files directory
        
        PID:2532
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        Drops file in Program Files directory
        
        PID:3464
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:4552
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1496
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:3204
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        System policy modification
        
        PID:2252
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:996
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:4496
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:4088
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:4872
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:3720
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4276
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:4864
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:4160
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:4832
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:3868
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:3468
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3388
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:3112
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:1368
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:2196
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        System policy modification
        
        PID:1676
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        System policy modification
        
        PID:2900
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4212
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1588
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        System policy modification
        
        PID:3960
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4584
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:4944
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1308
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:712
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2548
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:2188
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:460
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:3140
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1592
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4500
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1484
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\update.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\update.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:4172
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:1276
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        System policy modification
        
        PID:3460
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4880
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:3388
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:4764
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Program Files (x86)\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\update.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:2412
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:3840
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:4580
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:320
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4880
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:2604
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:3000
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:4584
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2848
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2072
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4212
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1140
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\data.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\data.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:3516
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\data.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\data.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        System policy modification
        
        PID:3648
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1324
        
        C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\
        8⤵
        
        PID:5048
        
        C:\Program Files (x86)\Google\Update\Offline\update.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\update.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:1964
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:740
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2188
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1604
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3164
      - C:\Program Files (x86)\Internet Explorer\images\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\data.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:4636
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        System policy modification
        
        PID:4452
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1496
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3064
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:1524
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        System policy modification
        
        PID:5068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        System policy modification
        
        PID:1340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:2784
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:4808
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:4916
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1916
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4740
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:752
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3868
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4668
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4536
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1088
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:4944
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:396
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4240
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4524
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        System policy modification
        
        PID:732
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:3152
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        System policy modification
        
        PID:4844
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2876
      - C:\Users\Public\Documents\System Restore.exe
        
        "C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5048
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4788
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:384
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:212
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      System policy modification
      PID:2632
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:776
    - - C:\Windows\appcompat\System Restore.exe
        
        "C:\Windows\appcompat\System Restore.exe" C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:2136
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4456
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:1552
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:776
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:2976
    - - C:\Windows\apppatch\System Restore.exe
        
        "C:\Windows\apppatch\System Restore.exe" C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:3736
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4108
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:2520
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3232
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:1244
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:4392
      - C:\Windows\apppatch\en-US\System Restore.exe
        
        "C:\Windows\apppatch\en-US\System Restore.exe" C:\Windows\apppatch\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3600
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3276
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:3424
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:3328
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:2132
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2888
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:2812
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:1920
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        
        PID:1592
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1216
        
        C:\Windows\assembly\GAC\Extensibility\update.exe
        
        C:\Windows\assembly\GAC\Extensibility\update.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:1660
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2256
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5f80b021d0eb1e75f79968646157c9ee

SHA1
7df4fab77b3c5094440bb48c3fb0cf58c88258c0

SHA256
13822fa159b485879eb955fbc0c1fe6cd9660be7e095e3d79cae02feb9c37ab3

SHA512
310927a6074d65c31b460af10352bd3cadd49004c71b1a8b72aa8711e1cf89bb9b26166fc8ab5eb27e21f3d6e55a1099355dc9dda02d709f12bb80340e612a10

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
5f80b021d0eb1e75f79968646157c9ee

SHA1
7df4fab77b3c5094440bb48c3fb0cf58c88258c0

SHA256
13822fa159b485879eb955fbc0c1fe6cd9660be7e095e3d79cae02feb9c37ab3

SHA512
310927a6074d65c31b460af10352bd3cadd49004c71b1a8b72aa8711e1cf89bb9b26166fc8ab5eb27e21f3d6e55a1099355dc9dda02d709f12bb80340e612a10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
0ae4a21758166373e8c3990878b3c809

SHA1
7f50c8bbb88a6e6e16c4490a621006604c8d8bde

SHA256
020629bb8f7e69a58bfc34e35ef2b34fc01816d76045b5f5fc2e07a33e83b476

SHA512
9ff3bf6b360431032349ffe0f13fbdb6f7f9307167ff01402a6c6ccc426cb4c0ae8b857a6dece6358f8287ef47fbd7a6d96b3de1aadebc2a56be4b632491f83c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
0ae4a21758166373e8c3990878b3c809

SHA1
7f50c8bbb88a6e6e16c4490a621006604c8d8bde

SHA256
020629bb8f7e69a58bfc34e35ef2b34fc01816d76045b5f5fc2e07a33e83b476

SHA512
9ff3bf6b360431032349ffe0f13fbdb6f7f9307167ff01402a6c6ccc426cb4c0ae8b857a6dece6358f8287ef47fbd7a6d96b3de1aadebc2a56be4b632491f83c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
72KB

MD5
3b9f3d33617274190927453f8c620f6c

SHA1
30ac615bbc544f6d0d30b72ce9f065be62365b64

SHA256
846fa8676cf2f286fbd44888271c76ef3e1b85bf1e8eda6f8594ac288f1c3c35

SHA512
7fc532aff82eb75a49649c980616e7329c2701f97a3f26a7c56a16f19cc203e17a66a630d30f859381594a31cfbf7b9f41afd7541db7c4d52802600acb3fec52

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
72KB

MD5
3b9f3d33617274190927453f8c620f6c

SHA1
30ac615bbc544f6d0d30b72ce9f065be62365b64

SHA256
846fa8676cf2f286fbd44888271c76ef3e1b85bf1e8eda6f8594ac288f1c3c35

SHA512
7fc532aff82eb75a49649c980616e7329c2701f97a3f26a7c56a16f19cc203e17a66a630d30f859381594a31cfbf7b9f41afd7541db7c4d52802600acb3fec52

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
72KB

MD5
0ae4a21758166373e8c3990878b3c809

SHA1
7f50c8bbb88a6e6e16c4490a621006604c8d8bde

SHA256
020629bb8f7e69a58bfc34e35ef2b34fc01816d76045b5f5fc2e07a33e83b476

SHA512
9ff3bf6b360431032349ffe0f13fbdb6f7f9307167ff01402a6c6ccc426cb4c0ae8b857a6dece6358f8287ef47fbd7a6d96b3de1aadebc2a56be4b632491f83c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
72KB

MD5
0ae4a21758166373e8c3990878b3c809

SHA1
7f50c8bbb88a6e6e16c4490a621006604c8d8bde

SHA256
020629bb8f7e69a58bfc34e35ef2b34fc01816d76045b5f5fc2e07a33e83b476

SHA512
9ff3bf6b360431032349ffe0f13fbdb6f7f9307167ff01402a6c6ccc426cb4c0ae8b857a6dece6358f8287ef47fbd7a6d96b3de1aadebc2a56be4b632491f83c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\System Restore.exe

Filesize
72KB

MD5
c797e1df556d0e7d8e33ab67d380374a

SHA1
acc68360c31166c47656cbf19930c6a996343cd0

SHA256
ddd4a3df9f133c0c67f6a9e6bde2961133c196ac8be1f53e6e5911d108a9ed89

SHA512
bed6ab2d21d459c575b83dd96c25c204899658fab6505bc70ad844d28bc437abcc9923176ef7c28569687d857f7bdd747e809e8119f34fbe903c0d3e16521f29

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\System Restore.exe

Filesize
72KB

MD5
c797e1df556d0e7d8e33ab67d380374a

SHA1
acc68360c31166c47656cbf19930c6a996343cd0

SHA256
ddd4a3df9f133c0c67f6a9e6bde2961133c196ac8be1f53e6e5911d108a9ed89

SHA512
bed6ab2d21d459c575b83dd96c25c204899658fab6505bc70ad844d28bc437abcc9923176ef7c28569687d857f7bdd747e809e8119f34fbe903c0d3e16521f29

Download Submit
C:\Program Files (x86)\Adobe\data.exe

Filesize
72KB

MD5
89468253770830cfe2de0d3256b77d2b

SHA1
b8260db0f9be32691d756e2e0c71a14d17400a1b

SHA256
e40a46ff5a7fac51569ca541a8b9d0b2524c1066253e851656f223cb017aaf72

SHA512
25b1ae8c81d1fcf30ea55668add095bdf396d30b20ef3f27d9a255db8f54e447040e86ef537c622d190ded4f1655e6bf085caf8c20db6498c368b9a96561a231

Download Submit
C:\Program Files (x86)\Adobe\data.exe

Filesize
72KB

MD5
89468253770830cfe2de0d3256b77d2b

SHA1
b8260db0f9be32691d756e2e0c71a14d17400a1b

SHA256
e40a46ff5a7fac51569ca541a8b9d0b2524c1066253e851656f223cb017aaf72

SHA512
25b1ae8c81d1fcf30ea55668add095bdf396d30b20ef3f27d9a255db8f54e447040e86ef537c622d190ded4f1655e6bf085caf8c20db6498c368b9a96561a231

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe

Filesize
72KB

MD5
f4d37f497a226352ab07e76c420ed0aa

SHA1
a5b55814bb352929c364edba053b25c4cd394655

SHA256
3f8ae962d85eceed5a1fcf4e9399b22f9270ae9af53c00c113b3f87266e4b809

SHA512
840a3a4e717b63e75da428aa132aa191eb461f0999de3a15cba2687cd3896a4f5a02ac021bac26e494582486b27f2e5335fe3c17e24082407fadc53fb92d6776

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe

Filesize
72KB

MD5
f4d37f497a226352ab07e76c420ed0aa

SHA1
a5b55814bb352929c364edba053b25c4cd394655

SHA256
3f8ae962d85eceed5a1fcf4e9399b22f9270ae9af53c00c113b3f87266e4b809

SHA512
840a3a4e717b63e75da428aa132aa191eb461f0999de3a15cba2687cd3896a4f5a02ac021bac26e494582486b27f2e5335fe3c17e24082407fadc53fb92d6776

Download Submit
C:\Program Files (x86)\Common Files\Adobe\backup.exe

Filesize
72KB

MD5
c7e916176cc6b223002388c946a75cb4

SHA1
16b8b2124abd46568037d7c58563f2ed45802f13

SHA256
3894378f0a3add5a7727de246c8c4129e7b4a2b8c5e9bd730be79a189dd2ab84

SHA512
dcd0dc5e53a56224f72198098fb0d29641f03e0b81d364937de5a3b87aaa864cbf11edb8b2d87e88397efcd56bd5bb8c953ef890ad3e4494af11ebc7faec79fd

Download Submit
C:\Program Files (x86)\Common Files\Adobe\backup.exe

Filesize
72KB

MD5
c7e916176cc6b223002388c946a75cb4

SHA1
16b8b2124abd46568037d7c58563f2ed45802f13

SHA256
3894378f0a3add5a7727de246c8c4129e7b4a2b8c5e9bd730be79a189dd2ab84

SHA512
dcd0dc5e53a56224f72198098fb0d29641f03e0b81d364937de5a3b87aaa864cbf11edb8b2d87e88397efcd56bd5bb8c953ef890ad3e4494af11ebc7faec79fd

Download Submit
C:\Program Files (x86)\Common Files\backup.exe

Filesize
72KB

MD5
e08fa8d0d45104780b6555ead2fad437

SHA1
8b21f6dd740ab88bbed2d8d028bf4ef026b9ae64

SHA256
02dff217c27b3d888941a4442dc5139976c9d1648813c4bc4cd6b9750ecd13e1

SHA512
e90f101755ffef89d43f5b0ee270708d6d8d6e313865e67dadbd7b788dcd4bca889bcdf856966273fce1dde5659a740bced97592ac88b80f179f8f3a905acaf2

Download Submit
C:\Program Files (x86)\Common Files\backup.exe

Filesize
72KB

MD5
e08fa8d0d45104780b6555ead2fad437

SHA1
8b21f6dd740ab88bbed2d8d028bf4ef026b9ae64

SHA256
02dff217c27b3d888941a4442dc5139976c9d1648813c4bc4cd6b9750ecd13e1

SHA512
e90f101755ffef89d43f5b0ee270708d6d8d6e313865e67dadbd7b788dcd4bca889bcdf856966273fce1dde5659a740bced97592ac88b80f179f8f3a905acaf2

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
04fbfd480c70db505c202646e990eac4

SHA1
3fb90497704b7e3ff5392ecafd1945669c7e5c62

SHA256
04c41cd1c6c9781e2eda98bbf35d07b8664bd81fbd1c902a5f92c27288383c0e

SHA512
4bf537c34a26d15ae59a3f4a4b127008b95a9e528ec444745a29c9f2d5bebf38111b22ec8ab9c7fcae56f517be7edb27e67d40ae8c1dba8dbf260de3ca76fc72

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
04fbfd480c70db505c202646e990eac4

SHA1
3fb90497704b7e3ff5392ecafd1945669c7e5c62

SHA256
04c41cd1c6c9781e2eda98bbf35d07b8664bd81fbd1c902a5f92c27288383c0e

SHA512
4bf537c34a26d15ae59a3f4a4b127008b95a9e528ec444745a29c9f2d5bebf38111b22ec8ab9c7fcae56f517be7edb27e67d40ae8c1dba8dbf260de3ca76fc72

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
381fc059c3926d29bec87d42e98ae14e

SHA1
665e21ec98dd752de527ff1c5323650ced3ddbc7

SHA256
3dd92fd3e27a2ff194c6227df65d4a2abccfa9bc9c800d016eefba4c494d52be

SHA512
b6ec035b7fdec0b03beb504f789cf303c05995025b77dd2e6a947c76462aca140764d987c1459ffe82db3ee232540348c3294e3249d7ce7ea2f84261525733d9

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
381fc059c3926d29bec87d42e98ae14e

SHA1
665e21ec98dd752de527ff1c5323650ced3ddbc7

SHA256
3dd92fd3e27a2ff194c6227df65d4a2abccfa9bc9c800d016eefba4c494d52be

SHA512
b6ec035b7fdec0b03beb504f789cf303c05995025b77dd2e6a947c76462aca140764d987c1459ffe82db3ee232540348c3294e3249d7ce7ea2f84261525733d9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
86c59b024632d1461aa81a718d266feb

SHA1
72bfaf51d6735fce2c2026539d524b33b5d8e610

SHA256
093f31bd0fe0aa1435bef233c125765b6773ed8ba0aa37f6183510860a9e80d3

SHA512
4e71d0e3a34a20e885d11b8071eaf7a6b3caaf609ce39f3a29d8ad62d7d46d50cd5244271d2a9290304c7c5998acad37910ffef87dddee1acd0d0b1d744d98ee

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
86c59b024632d1461aa81a718d266feb

SHA1
72bfaf51d6735fce2c2026539d524b33b5d8e610

SHA256
093f31bd0fe0aa1435bef233c125765b6773ed8ba0aa37f6183510860a9e80d3

SHA512
4e71d0e3a34a20e885d11b8071eaf7a6b3caaf609ce39f3a29d8ad62d7d46d50cd5244271d2a9290304c7c5998acad37910ffef87dddee1acd0d0b1d744d98ee

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
3b38c09da3ad25ea7136106aa355c467

SHA1
5f8e15a8d92b6e1e013e931110ec3dd09f39bf99

SHA256
fe5f74ed5b14fd97556dbfc94b1be5c6d320f69f35f12b792ec9695dd1a46b76

SHA512
c9998853c964cc8d15aac95d88f5d35976e7666ab5ea6bd9ce05fbe71e8ef1a179197590f80c570a4078e2fce9b6c997531ec881b809d7c121707f50d2412498

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
3b38c09da3ad25ea7136106aa355c467

SHA1
5f8e15a8d92b6e1e013e931110ec3dd09f39bf99

SHA256
fe5f74ed5b14fd97556dbfc94b1be5c6d320f69f35f12b792ec9695dd1a46b76

SHA512
c9998853c964cc8d15aac95d88f5d35976e7666ab5ea6bd9ce05fbe71e8ef1a179197590f80c570a4078e2fce9b6c997531ec881b809d7c121707f50d2412498

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e4bd8484e6dedd87efe162e9eead7b6c

SHA1
3c53fa183ed7e47b27c6929b46a5c0a43c567032

SHA256
bb03e115737d873962343c36818a1e96cef0630b408b9052fca6643a23207917

SHA512
47109cd5e96b24fb725f76c1045d50c35ba612cc4e71414f4a2c4d12ee546beac0408a1d50b5317962fc5f1ba6e35deec3e6e633bc8232fd22a9a3d54d065797

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e4bd8484e6dedd87efe162e9eead7b6c

SHA1
3c53fa183ed7e47b27c6929b46a5c0a43c567032

SHA256
bb03e115737d873962343c36818a1e96cef0630b408b9052fca6643a23207917

SHA512
47109cd5e96b24fb725f76c1045d50c35ba612cc4e71414f4a2c4d12ee546beac0408a1d50b5317962fc5f1ba6e35deec3e6e633bc8232fd22a9a3d54d065797

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
8841d6fef326103743b972e426253089

SHA1
5cd520904ca8ed276b21bc37334f22c09167da9a

SHA256
35ef36c22d1056817df62503c655a50d56b620b4cddc724f631c99c618948cde

SHA512
b79026ad3f1fb4bd7b7a798b1e59f23c3bb963d000037be14fdb46aa1c8691ce1be716587ece0206ed99ab02d580df218ca66fdfdc232ff412955d3d6d3c5d87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
8841d6fef326103743b972e426253089

SHA1
5cd520904ca8ed276b21bc37334f22c09167da9a

SHA256
35ef36c22d1056817df62503c655a50d56b620b4cddc724f631c99c618948cde

SHA512
b79026ad3f1fb4bd7b7a798b1e59f23c3bb963d000037be14fdb46aa1c8691ce1be716587ece0206ed99ab02d580df218ca66fdfdc232ff412955d3d6d3c5d87

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
3e6cae78a59f54750a811d47f69a6c7e

SHA1
8b0024f8e0645d074e30f746f1613a5bf56609d3

SHA256
35ef0e676c1d6cff15f7a60b75a8a02913919e49e127eda8513afb146eb48156

SHA512
7e571a88404164d811feaa5e44e6a5cc384af567adb522b46bd6a1cf4f7da99f500c9929527b9e252004d1ae243e2d5575668d126e2c8f50bc821a7e6e8c7e65

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
3e6cae78a59f54750a811d47f69a6c7e

SHA1
8b0024f8e0645d074e30f746f1613a5bf56609d3

SHA256
35ef0e676c1d6cff15f7a60b75a8a02913919e49e127eda8513afb146eb48156

SHA512
7e571a88404164d811feaa5e44e6a5cc384af567adb522b46bd6a1cf4f7da99f500c9929527b9e252004d1ae243e2d5575668d126e2c8f50bc821a7e6e8c7e65

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
7eb7351349f39475aa331f765d561b9b

SHA1
125c8c3714668ac7382db1f2682e8ccb269c273d

SHA256
e04381c085e932e39ba72a72013b2a6c669267cf03967945beecab40288af10f

SHA512
bcc479646bec2501de5af028a3dbbc61c18b0911ded4c3b04857276d4b9171ebade9c522ce521df409b7068900f0da33a014fe61c151dd8f84a798f71f05658b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
7eb7351349f39475aa331f765d561b9b

SHA1
125c8c3714668ac7382db1f2682e8ccb269c273d

SHA256
e04381c085e932e39ba72a72013b2a6c669267cf03967945beecab40288af10f

SHA512
bcc479646bec2501de5af028a3dbbc61c18b0911ded4c3b04857276d4b9171ebade9c522ce521df409b7068900f0da33a014fe61c151dd8f84a798f71f05658b

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
a5e434516246ad7d2eed19953fa12daa

SHA1
0c8d7904e32e283d386e1bbd9aa4597884a4b646

SHA256
f483a601dacd16f78353c5878089faefa4fc764d252f89cab24abc791a853470

SHA512
24afa2517953b01aa9d4dd13e6115b92baa928ab615787935989bd6701145812f68ea11eba05d5d5b3a24b8268ef0ee6b6874fb3b838f713cdc8fe2b06783441

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
a5e434516246ad7d2eed19953fa12daa

SHA1
0c8d7904e32e283d386e1bbd9aa4597884a4b646

SHA256
f483a601dacd16f78353c5878089faefa4fc764d252f89cab24abc791a853470

SHA512
24afa2517953b01aa9d4dd13e6115b92baa928ab615787935989bd6701145812f68ea11eba05d5d5b3a24b8268ef0ee6b6874fb3b838f713cdc8fe2b06783441

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
38596b415265e24bda40ac40466a1998

SHA1
6874440290c993299ab067e74af587a369cc0ced

SHA256
4ec01831142119f18e72f9a33efb9afd722456b8c696b5e72c02ba92c71d29a9

SHA512
ddb5d10835bb8adbfd7394dfc97e56664be78aa0e6f6865038c44776db7af6fcbe5979e61b27a90bb085e4fa2628006e0811f4245b3d3d2c513e27651a25750c

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
38596b415265e24bda40ac40466a1998

SHA1
6874440290c993299ab067e74af587a369cc0ced

SHA256
4ec01831142119f18e72f9a33efb9afd722456b8c696b5e72c02ba92c71d29a9

SHA512
ddb5d10835bb8adbfd7394dfc97e56664be78aa0e6f6865038c44776db7af6fcbe5979e61b27a90bb085e4fa2628006e0811f4245b3d3d2c513e27651a25750c

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
046a7b54acfc5d094b22a196ef57cc80

SHA1
6aaa39b6f318f493a3b28a3d6468c5d93712dddc

SHA256
b69cac8842edef7606693ba4a9ff2332ef4e0ce548699c015a60816beccf41f3

SHA512
ae39b5e6b58afb51b47ecfbad53254a61cc67ff9e0b56d97bd801d817715f7876a79df476fdb2214113f32f973a246d66737571cc5e5733d5cb0f3f8788219b2

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
046a7b54acfc5d094b22a196ef57cc80

SHA1
6aaa39b6f318f493a3b28a3d6468c5d93712dddc

SHA256
b69cac8842edef7606693ba4a9ff2332ef4e0ce548699c015a60816beccf41f3

SHA512
ae39b5e6b58afb51b47ecfbad53254a61cc67ff9e0b56d97bd801d817715f7876a79df476fdb2214113f32f973a246d66737571cc5e5733d5cb0f3f8788219b2

Download Submit
C:\Users\Admin\3D Objects\backup.exe

Filesize
72KB

MD5
5e6d1d3d936ef2b1e0a118253d713fab

SHA1
e9954d9acd5789d0ba89b9a3defec35fe1e39b48

SHA256
a26f6fc147bca462f61e8c81ef0f8aa6a4c2c2f8db6e9385f0cc445d6b01200a

SHA512
12cfcbab4c0c530da34a387dcfdde39f20b1c2d7e46a1f4c85f8bf73685e222c0443b45b31f4dee6ad42bee1655e80dd5cd48efa19a40819c76c01b85a228d26

Download Submit
C:\Users\Admin\3D Objects\backup.exe

Filesize
72KB

MD5
5e6d1d3d936ef2b1e0a118253d713fab

SHA1
e9954d9acd5789d0ba89b9a3defec35fe1e39b48

SHA256
a26f6fc147bca462f61e8c81ef0f8aa6a4c2c2f8db6e9385f0cc445d6b01200a

SHA512
12cfcbab4c0c530da34a387dcfdde39f20b1c2d7e46a1f4c85f8bf73685e222c0443b45b31f4dee6ad42bee1655e80dd5cd48efa19a40819c76c01b85a228d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\2234999677\System Restore.exe

Filesize
72KB

MD5
11888be0382bfbbdf274c19e212b3eed

SHA1
b3baa06f76977fd232976e07a419ae9419e24300

SHA256
c743590e14c83d64524173a7eaf692c7435399492a2f770b8924e0e8433cab6f

SHA512
2cd7b5220f0ea807d522382738e3db0bbf19cdbac7a304346060e10fca03c1548067eac8eb674b0c402245a376ae5535ffc85b4e3229d97fb04a31afb4aa2eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2234999677\System Restore.exe

Filesize
72KB

MD5
11888be0382bfbbdf274c19e212b3eed

SHA1
b3baa06f76977fd232976e07a419ae9419e24300

SHA256
c743590e14c83d64524173a7eaf692c7435399492a2f770b8924e0e8433cab6f

SHA512
2cd7b5220f0ea807d522382738e3db0bbf19cdbac7a304346060e10fca03c1548067eac8eb674b0c402245a376ae5535ffc85b4e3229d97fb04a31afb4aa2eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
f30f4803270fb2a9a4f9c3ea2dacf0bc

SHA1
5c75121f6c454198107c44f80970c6a02b9375d2

SHA256
9e373dcdbfa48734b77b56dc9d8039826f9780e5dc65854cd7b772a8dbc5985d

SHA512
71193a0df74a5fc3297fdae2863915919b30ae4aabe9d18c25a32fbd10fc8956d6d623d74fcb133b7be51ff36d12d0ecb5500648e3806248fb28b46c5c3e4c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
72KB

MD5
f30f4803270fb2a9a4f9c3ea2dacf0bc

SHA1
5c75121f6c454198107c44f80970c6a02b9375d2

SHA256
9e373dcdbfa48734b77b56dc9d8039826f9780e5dc65854cd7b772a8dbc5985d

SHA512
71193a0df74a5fc3297fdae2863915919b30ae4aabe9d18c25a32fbd10fc8956d6d623d74fcb133b7be51ff36d12d0ecb5500648e3806248fb28b46c5c3e4c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
f30f4803270fb2a9a4f9c3ea2dacf0bc

SHA1
5c75121f6c454198107c44f80970c6a02b9375d2

SHA256
9e373dcdbfa48734b77b56dc9d8039826f9780e5dc65854cd7b772a8dbc5985d

SHA512
71193a0df74a5fc3297fdae2863915919b30ae4aabe9d18c25a32fbd10fc8956d6d623d74fcb133b7be51ff36d12d0ecb5500648e3806248fb28b46c5c3e4c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
f30f4803270fb2a9a4f9c3ea2dacf0bc

SHA1
5c75121f6c454198107c44f80970c6a02b9375d2

SHA256
9e373dcdbfa48734b77b56dc9d8039826f9780e5dc65854cd7b772a8dbc5985d

SHA512
71193a0df74a5fc3297fdae2863915919b30ae4aabe9d18c25a32fbd10fc8956d6d623d74fcb133b7be51ff36d12d0ecb5500648e3806248fb28b46c5c3e4c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
28f28e1e6b1d47930f1f4d65931af9d2

SHA1
31f5b3ffb1b947b22cf7aa25caa9993db65f00ad

SHA256
3224b0394e2dcdd03abdb6b2ac2a5ec001d13ca912094454ebf0986e9b22ed4c

SHA512
d4afe821baebc6b5b1c90055ef1b3fed3973d76938408c9bbc1f7357bcd5def386c376e0b64a82d0b5c89a7e49c29327f3a23f7aa444db7b801d4f477574b2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
28f28e1e6b1d47930f1f4d65931af9d2

SHA1
31f5b3ffb1b947b22cf7aa25caa9993db65f00ad

SHA256
3224b0394e2dcdd03abdb6b2ac2a5ec001d13ca912094454ebf0986e9b22ed4c

SHA512
d4afe821baebc6b5b1c90055ef1b3fed3973d76938408c9bbc1f7357bcd5def386c376e0b64a82d0b5c89a7e49c29327f3a23f7aa444db7b801d4f477574b2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
4aa9568b87612e83282db40a1d008e9b

SHA1
60a3172bb2ab85dcd845fe4ed0d1d9b617552bee

SHA256
d7f2137bb426542de6abe89dc524d17509f2d6f4038cb24929f93050d4c2624a

SHA512
932358590e176b62589efa9809158ae808da54e5f56f5b4b0b5fde37f068ee7cd41fd550a8c72a8043b83f69fc70d212c88f083f5f3ca644c4316f86bdda8e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
4aa9568b87612e83282db40a1d008e9b

SHA1
60a3172bb2ab85dcd845fe4ed0d1d9b617552bee

SHA256
d7f2137bb426542de6abe89dc524d17509f2d6f4038cb24929f93050d4c2624a

SHA512
932358590e176b62589efa9809158ae808da54e5f56f5b4b0b5fde37f068ee7cd41fd550a8c72a8043b83f69fc70d212c88f083f5f3ca644c4316f86bdda8e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
4aa9568b87612e83282db40a1d008e9b

SHA1
60a3172bb2ab85dcd845fe4ed0d1d9b617552bee

SHA256
d7f2137bb426542de6abe89dc524d17509f2d6f4038cb24929f93050d4c2624a

SHA512
932358590e176b62589efa9809158ae808da54e5f56f5b4b0b5fde37f068ee7cd41fd550a8c72a8043b83f69fc70d212c88f083f5f3ca644c4316f86bdda8e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
4aa9568b87612e83282db40a1d008e9b

SHA1
60a3172bb2ab85dcd845fe4ed0d1d9b617552bee

SHA256
d7f2137bb426542de6abe89dc524d17509f2d6f4038cb24929f93050d4c2624a

SHA512
932358590e176b62589efa9809158ae808da54e5f56f5b4b0b5fde37f068ee7cd41fd550a8c72a8043b83f69fc70d212c88f083f5f3ca644c4316f86bdda8e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
84f3f42a04a54e8af3783f062f7258ba

SHA1
33bb163419050045e87769501fdf33b0d8940faf

SHA256
8e137e69a702e7b0e6d57248c21d6a6e4785b235428726e17ea6df0d8c82829f

SHA512
fc5d544d36033c117700d56eb70f1cddface130c5eccfd8e1fe6fb216d8403aa4ae35b6eed2728854fd193f7a43c107d8d0702d81af9727a8393060a557b60a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
72KB

MD5
84f3f42a04a54e8af3783f062f7258ba

SHA1
33bb163419050045e87769501fdf33b0d8940faf

SHA256
8e137e69a702e7b0e6d57248c21d6a6e4785b235428726e17ea6df0d8c82829f

SHA512
fc5d544d36033c117700d56eb70f1cddface130c5eccfd8e1fe6fb216d8403aa4ae35b6eed2728854fd193f7a43c107d8d0702d81af9727a8393060a557b60a7

Download Submit
C:\Users\Admin\backup.exe

Filesize
72KB

MD5
52485f50bee5ef85cc38377e917ab6c3

SHA1
916df7103bd7cfcf97ceb1a1a00ac71a161649d9

SHA256
7f7f0cb7b83cb224dcafec3a5c6842e21f818efb5a1a6ddb2cd53ec85218150e

SHA512
e30eacf8230929ff61d9de8975bb11c75f9cf7e614911db07971b478f01226f53df11af63fd6bc187f09083bd0843cb954388528e1829c9dfe3a546c45525941

Download Submit
C:\Users\Admin\backup.exe

Filesize
72KB

MD5
52485f50bee5ef85cc38377e917ab6c3

SHA1
916df7103bd7cfcf97ceb1a1a00ac71a161649d9

SHA256
7f7f0cb7b83cb224dcafec3a5c6842e21f818efb5a1a6ddb2cd53ec85218150e

SHA512
e30eacf8230929ff61d9de8975bb11c75f9cf7e614911db07971b478f01226f53df11af63fd6bc187f09083bd0843cb954388528e1829c9dfe3a546c45525941

Download Submit
C:\Users\backup.exe

Filesize
72KB

MD5
9d8a02defaed73c339a679f9fd46d520

SHA1
b43342e4e222216db7ce7326a9e1a581b1228403

SHA256
befac985444182a4fdc186980e9b2b372bb0d909bc72e2cd245ae02f0e479b5f

SHA512
cf69c891636f8e6f9798865007d567be476a0ccdd753168489c53d78092102660870d5da7d178527471d11c5a2e906758c0850b7a644687468fd7426e8beddf7

Download Submit
C:\Users\backup.exe

Filesize
72KB

MD5
9d8a02defaed73c339a679f9fd46d520

SHA1
b43342e4e222216db7ce7326a9e1a581b1228403

SHA256
befac985444182a4fdc186980e9b2b372bb0d909bc72e2cd245ae02f0e479b5f

SHA512
cf69c891636f8e6f9798865007d567be476a0ccdd753168489c53d78092102660870d5da7d178527471d11c5a2e906758c0850b7a644687468fd7426e8beddf7

Download Submit
C:\backup.exe

Filesize
72KB

MD5
cd94ecca2ad766e8c35e93f918d74cf4

SHA1
df16d46e4e8b9688447ce04763fe2e16e1d0049c

SHA256
fa9acad0bffce9b01e63f594c2925ef951c21fd4032469b153b268363f4de1c6

SHA512
be540803224581c5cd673725005bfad8540846074163f80571a44df75c26aad9ab0ac9233e4c67503ff8785ddec586171e4efa6f60579543cf55a4e0802c2a5f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
cd94ecca2ad766e8c35e93f918d74cf4

SHA1
df16d46e4e8b9688447ce04763fe2e16e1d0049c

SHA256
fa9acad0bffce9b01e63f594c2925ef951c21fd4032469b153b268363f4de1c6

SHA512
be540803224581c5cd673725005bfad8540846074163f80571a44df75c26aad9ab0ac9233e4c67503ff8785ddec586171e4efa6f60579543cf55a4e0802c2a5f

Download Submit
C:\odt\update.exe

Filesize
72KB

MD5
c61e292dd7c5a1951a84130733addcd8

SHA1
6b2f6e21fb3640b583775e7ae5b6806f484a283d

SHA256
08412acd98f0b312045c3810f76ab2d24e4cb3b8dbcd469807b6c0f5e6332b7e

SHA512
f57a85c7d10f2b2efc2fd516eec483d9ea634dd0a5ede54e6e7d3180c9bda7c5338c6b9d0a8bd9bee206d9c4b44cc88565541da19eacfd2d924428ed097ae903

Download Submit
C:\odt\update.exe

Filesize
72KB

MD5
c61e292dd7c5a1951a84130733addcd8

SHA1
6b2f6e21fb3640b583775e7ae5b6806f484a283d

SHA256
08412acd98f0b312045c3810f76ab2d24e4cb3b8dbcd469807b6c0f5e6332b7e

SHA512
f57a85c7d10f2b2efc2fd516eec483d9ea634dd0a5ede54e6e7d3180c9bda7c5338c6b9d0a8bd9bee206d9c4b44cc88565541da19eacfd2d924428ed097ae903

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads