07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712

Analysis

max time kernel
173s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 19:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe
Size

72KB
MD5

00b7847541d3ae66a8ba13f69552767e
SHA1

ee916a2982c9f3d584dec185c35ba7c4cd81e28b
SHA256

07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712
SHA512

e6d42d42829a78375edea29b1d44baf1f9be689ac9eacd1e74764824351a1d65a67f250be8cf5747b0273736818e499765e5fb7a4ec33b5b0f89166d6671e350
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2o:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP8

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
5088	backup.exe
4756	backup.exe
4712	backup.exe
4640	backup.exe
3068	backup.exe
4732	System Restore.exe
3432	backup.exe
1988	backup.exe
4332	backup.exe
1040	data.exe
1568	backup.exe
4368	backup.exe
3004	backup.exe
4056	backup.exe
316	backup.exe
4964	backup.exe
2360	backup.exe
3748	backup.exe
4700	backup.exe
4372	backup.exe
1916	backup.exe
2272	backup.exe
1852	backup.exe
2772	backup.exe
440	backup.exe
2996	backup.exe
2900	backup.exe
1700	backup.exe
5108	backup.exe
3944	backup.exe
380	update.exe
1976	backup.exe
4348	backup.exe
4616	backup.exe
2352	backup.exe
4152	backup.exe
2268	backup.exe
856	backup.exe
4144	data.exe
2664	backup.exe
3216	backup.exe
2364	backup.exe
3808	backup.exe
1840	backup.exe
2496	backup.exe
1456	System Restore.exe
2968	update.exe
2728	backup.exe
2428	backup.exe
4688	backup.exe
1084	backup.exe
3084	update.exe
1668	backup.exe
4324	backup.exe
4752	backup.exe
2172	backup.exe
4660	backup.exe
4828	backup.exe
4440	backup.exe
3256	backup.exe
1372	System Restore.exe
1868	backup.exe
5080	backup.exe
3920	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Office 15\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\data.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe
5088	backup.exe
4756	backup.exe
4712	backup.exe
4640	backup.exe
3068	backup.exe
4732	System Restore.exe
3432	backup.exe
1988	backup.exe
4332	backup.exe
1040	data.exe
1568	backup.exe
4368	backup.exe
3004	backup.exe
4056	backup.exe
316	backup.exe
4964	backup.exe
2360	backup.exe
3748	backup.exe
4700	backup.exe
4372	backup.exe
1916	backup.exe
1852	backup.exe
2272	backup.exe
2772	backup.exe
440	backup.exe
2900	backup.exe
1700	backup.exe
2996	backup.exe
5108	backup.exe
3944	backup.exe
380	update.exe
1976	backup.exe
4348	backup.exe
4616	backup.exe
2268	backup.exe
2352	backup.exe
4152	backup.exe
856	backup.exe
4144	data.exe
2364	backup.exe
3216	backup.exe
2664	backup.exe
3808	backup.exe
2496	backup.exe
1840	backup.exe
2968	update.exe
1456	System Restore.exe
4688	backup.exe
2728	backup.exe
2428	backup.exe
3084	update.exe
1084	backup.exe
1668	backup.exe
4752	backup.exe
2172	backup.exe
4324	backup.exe
4660	backup.exe
4440	backup.exe
4828	backup.exe
3256	backup.exe
1372	System Restore.exe
1868	backup.exe
5080	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 5088	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	80
PID 2732 wrote to memory of 5088	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	80
PID 2732 wrote to memory of 5088	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	80
PID 2732 wrote to memory of 4756	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	81
PID 2732 wrote to memory of 4756	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	81
PID 2732 wrote to memory of 4756	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	81
PID 2732 wrote to memory of 4712	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	82
PID 2732 wrote to memory of 4712	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	82
PID 2732 wrote to memory of 4712	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	82
PID 2732 wrote to memory of 4640	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	83
PID 2732 wrote to memory of 4640	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	83
PID 2732 wrote to memory of 4640	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	83
PID 2732 wrote to memory of 3068	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	84
PID 2732 wrote to memory of 3068	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	84
PID 2732 wrote to memory of 3068	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	84
PID 2732 wrote to memory of 4732	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	85
PID 2732 wrote to memory of 4732	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	85
PID 2732 wrote to memory of 4732	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	85
PID 2732 wrote to memory of 3432	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	86
PID 2732 wrote to memory of 3432	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	86
PID 2732 wrote to memory of 3432	2732	07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe	86
PID 5088 wrote to memory of 1988	5088	backup.exe	87
PID 5088 wrote to memory of 1988	5088	backup.exe	87
PID 5088 wrote to memory of 1988	5088	backup.exe	87
PID 1988 wrote to memory of 4332	1988	backup.exe	88
PID 1988 wrote to memory of 4332	1988	backup.exe	88
PID 1988 wrote to memory of 4332	1988	backup.exe	88
PID 1988 wrote to memory of 1040	1988	backup.exe	89
PID 1988 wrote to memory of 1040	1988	backup.exe	89
PID 1988 wrote to memory of 1040	1988	backup.exe	89
PID 1988 wrote to memory of 1568	1988	backup.exe	90
PID 1988 wrote to memory of 1568	1988	backup.exe	90
PID 1988 wrote to memory of 1568	1988	backup.exe	90
PID 1568 wrote to memory of 4368	1568	backup.exe	91
PID 1568 wrote to memory of 4368	1568	backup.exe	91
PID 1568 wrote to memory of 4368	1568	backup.exe	91
PID 4368 wrote to memory of 3004	4368	backup.exe	92
PID 4368 wrote to memory of 3004	4368	backup.exe	92
PID 4368 wrote to memory of 3004	4368	backup.exe	92
PID 1568 wrote to memory of 4056	1568	backup.exe	93
PID 1568 wrote to memory of 4056	1568	backup.exe	93
PID 1568 wrote to memory of 4056	1568	backup.exe	93
PID 4056 wrote to memory of 316	4056	backup.exe	94
PID 4056 wrote to memory of 316	4056	backup.exe	94
PID 4056 wrote to memory of 316	4056	backup.exe	94
PID 4056 wrote to memory of 4964	4056	backup.exe	95
PID 4056 wrote to memory of 4964	4056	backup.exe	95
PID 4056 wrote to memory of 4964	4056	backup.exe	95
PID 4964 wrote to memory of 2360	4964	backup.exe	96
PID 4964 wrote to memory of 2360	4964	backup.exe	96
PID 4964 wrote to memory of 2360	4964	backup.exe	96
PID 4964 wrote to memory of 3748	4964	backup.exe	97
PID 4964 wrote to memory of 3748	4964	backup.exe	97
PID 4964 wrote to memory of 3748	4964	backup.exe	97
PID 3748 wrote to memory of 4700	3748	backup.exe	98
PID 3748 wrote to memory of 4700	3748	backup.exe	98
PID 3748 wrote to memory of 4700	3748	backup.exe	98
PID 3748 wrote to memory of 4372	3748	backup.exe	99
PID 3748 wrote to memory of 4372	3748	backup.exe	99
PID 3748 wrote to memory of 4372	3748	backup.exe	99
PID 1988 wrote to memory of 1916	1988	backup.exe	103
PID 1988 wrote to memory of 1916	1988	backup.exe	103
PID 1988 wrote to memory of 1916	1988	backup.exe	103
PID 1568 wrote to memory of 1852	1568	backup.exe	102

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe
"C:\Users\Admin\AppData\Local\Temp\07152e71f53bd921de09dbce5868c1f83fbd2afa5930815e9d2967f9e7a20712.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\4050964573\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4050964573\backup.exe C:\Users\Admin\AppData\Local\Temp\4050964573\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4332
  - - C:\PerfLogs\data.exe
      C:\PerfLogs\data.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1040
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4368
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3004
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4056
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:316
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2360
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4700
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4372
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:440
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4688
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4828
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2944
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:4904
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3028
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1708
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Drops file in Program Files directory
        
        PID:796
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:2348
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:2296
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:2132
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:4528
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        System policy modification
        
        PID:1988
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:4388
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3008
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        System policy modification
        
        PID:4740
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:260
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:4840
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:1084
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4592
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4604
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        System policy modification
        
        PID:4528
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        System policy modification
        
        PID:3136
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Drops file in Windows directory
        
        PID:1320
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2772
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5108
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2352
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1084
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4660
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1868
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:4036
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3776
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2256
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:1140
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3932
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:1908
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3016
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2036
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3492
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3792
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3212
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:524
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:4300
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:4304
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1668
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:5016
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:2148
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4424
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:4752
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        System policy modification
        
        PID:3388
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:5112
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        System policy modification
        
        PID:1880
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4736
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3948
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:4832
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:116
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1404
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3120
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2328
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3440
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:5060
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:5092
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3544
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2144
      - C:\Program Files\Java\jdk1.8.0_66\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\data.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:2300
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:1448
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\update.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:1704
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:3348
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:3004
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1216
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:1116
        
        C:\Program Files\Java\jdk1.8.0_66\jre\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:1412
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:4256
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:3032
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        
        PID:4148
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        System policy modification
        
        PID:3952
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        
        PID:1128
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3976
        
        C:\Program Files\Java\jre1.8.0_66\bin\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\data.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:3192
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        Disables RegEdit via registry modification
        
        PID:668
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:2596
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:2348
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:1592
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        System policy modification
        
        PID:4636
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        System policy modification
        
        PID:4612
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        
        PID:2504
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4260
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:2588
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4232
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:3216
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3396
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1324
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4044
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:1528
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3352
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4624
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:1732
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3888
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:3980
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:3196
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        
        PID:4480
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Drops file in Program Files directory
        
        PID:4064
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2452
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:1908
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:3004
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:1300
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:3928
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1916
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Disables RegEdit via registry modification
        
        PID:208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:2160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Drops file in Program Files directory
        
        PID:3492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        System policy modification
        
        PID:2592
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:3468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:4672
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        10⤵
        
        PID:3512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:2548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:2228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:2328
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        System policy modification
        
        PID:5080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:3432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:2904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:4616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:4988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:4020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        Disables RegEdit via registry modification
        
        PID:4372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:4932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1460
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4696
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1436
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:4380
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        System policy modification
        
        PID:3528
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:2388
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:3360
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:380
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:420
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        System policy modification
        
        PID:3012
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:3504
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:1208
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        System policy modification
        
        PID:3140
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        System policy modification
        
        PID:4940
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        Drops file in Program Files directory
        
        PID:2168
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:4672
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:3296
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4580
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:4196
      - C:\Program Files (x86)\Common Files\Java\update.exe
        
        "C:\Program Files (x86)\Common Files\Java\update.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:2376
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2664
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:2252
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        8⤵
        System policy modification
        
        PID:3256
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:628
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3772
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3992
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:4080
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:3564
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        System policy modification
        
        PID:1668
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:5060
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:2368
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:4804
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1452
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3160
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:664
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:3592
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:500
        
        C:\Program Files (x86)\Google\Update\Download\update.exe
        
        "C:\Program Files (x86)\Google\Update\Download\update.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Drops file in Program Files directory
        
        PID:2112
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:2352
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1140
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2248
        
        C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3540
        
        C:\Program Files (x86)\Google\Update\Offline\data.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\data.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3616
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2528
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4908
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4860
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:612
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:4316
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3532
      - C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:5060
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\data.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        System policy modification
        
        PID:4688
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        System policy modification
        
        PID:2108
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2432
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:176
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        System policy modification
        
        PID:1144
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4284
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4812
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:3888
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:4016
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1272
      - C:\Users\Admin\Favorites\data.exe
        
        C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1108
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:4048
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2588
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2252
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:3600
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:960
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:3876
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:4808
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3684
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2592
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2784
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4328
      - C:\Users\Public\Pictures\System Restore.exe
        
        "C:\Users\Public\Pictures\System Restore.exe" C:\Users\Public\Pictures\
        6⤵
        
        PID:4756
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1260
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:3332
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        System policy modification
        
        PID:3540
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:1320
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:4172
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:5008
      - C:\Windows\appcompat\encapsulation\data.exe
        
        C:\Windows\appcompat\encapsulation\data.exe C:\Windows\appcompat\encapsulation\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:620
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:5036
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:5080
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:4288
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:1668
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:4640
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:4376
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:3528
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        System policy modification
        
        PID:1808
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:4732
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3456
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4712
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3432
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
    3⤵
    - System policy modification
    PID:2212
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
      4⤵
      PID:1176

C:\Program Files\Common Files\System\ado\update.exe
"C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:380
- C:\Program Files\Common Files\System\ado\de-DE\backup.exe
  "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4616
- C:\Program Files\Common Files\System\ado\en-US\data.exe
  "C:\Program Files\Common Files\System\ado\en-US\data.exe" C:\Program Files\Common Files\System\ado\en-US\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4144
- C:\Program Files\Common Files\System\ado\es-ES\backup.exe
  "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840
- C:\Program Files\Common Files\System\ado\fr-FR\update.exe
  "C:\Program Files\Common Files\System\ado\fr-FR\update.exe" C:\Program Files\Common Files\System\ado\fr-FR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3084
- C:\Program Files\Common Files\System\ado\it-IT\backup.exe
  "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4752
- C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
  "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4440

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4152
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3216
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2428
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2172
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3256
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:4368
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
    3⤵
    - Disables RegEdit via registry modification
    PID:1072
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
    3⤵
    - Disables RegEdit via registry modification
    PID:3296
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
      4⤵
      System policy modification
      PID:4484
    - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        5⤵
        
        PID:3420
- C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
  "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
  2⤵
  PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
1⤵
- Drops file in Program Files directory
PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
  2⤵
  PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1684
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
    3⤵
    PID:5016

C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
1⤵
- System policy modification
PID:2772

C:\Program Files\Java\jre1.8.0_66\lib\amd64\System Restore.exe
"C:\Program Files\Java\jre1.8.0_66\lib\amd64\System Restore.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
1⤵
- Modifies visibility of file extensions in Explorer
PID:4716

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\data.exe

Filesize
72KB

MD5
296b9fffdd0c8c866f90e437e6f7cd9c

SHA1
6f0252c29e78eb41f15bb93be53197c3cc8a93ef

SHA256
e6cf012d161d53784ca9d37f6739ca8728f35a4494384594f30c115368235b64

SHA512
4eea68e7feb3713d946354c03280bdfb5d7a3d54119635eb36c6bd298904529e0721dcabef40a50894d1678492f93d7b6c414d76c0121e24fef41d8b4281cbd2

Download Submit
C:\PerfLogs\data.exe

Filesize
72KB

MD5
296b9fffdd0c8c866f90e437e6f7cd9c

SHA1
6f0252c29e78eb41f15bb93be53197c3cc8a93ef

SHA256
e6cf012d161d53784ca9d37f6739ca8728f35a4494384594f30c115368235b64

SHA512
4eea68e7feb3713d946354c03280bdfb5d7a3d54119635eb36c6bd298904529e0721dcabef40a50894d1678492f93d7b6c414d76c0121e24fef41d8b4281cbd2

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
4a269fe8b3cdaaa16a4ce4d16beb343e

SHA1
15834841a99b42d63db76a0908306d83d2f6da03

SHA256
45781844775204f812ad71f9485808586694b9c4fae453a4e55a91630b6bfeb1

SHA512
e61babd1f0944ef3a9bb2ea3400f1c9e22fd62d73bcdcf430f010682b071bb4fde1f82ca4acbefaa8bc1cce81d769468eae211b0b7589bb12261b35a42de4c5f

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
4a269fe8b3cdaaa16a4ce4d16beb343e

SHA1
15834841a99b42d63db76a0908306d83d2f6da03

SHA256
45781844775204f812ad71f9485808586694b9c4fae453a4e55a91630b6bfeb1

SHA512
e61babd1f0944ef3a9bb2ea3400f1c9e22fd62d73bcdcf430f010682b071bb4fde1f82ca4acbefaa8bc1cce81d769468eae211b0b7589bb12261b35a42de4c5f

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
19d3079cc84d7bdbc5a058a66b94958f

SHA1
fb38cb2dc7b6a55902b0a02113096da1db028042

SHA256
a1a5199ba416241116c743cc40e308d5ccef9a95e701a5c11472487f6338877d

SHA512
72cac0bf5dbe0d5a6c0d8a247386b4534ccd10a70c5cac9c9d6177dc035128e0289dddafa9a7dd025eab00b1e8d40fee158d50619e33846021ed40e2425cbd16

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
19d3079cc84d7bdbc5a058a66b94958f

SHA1
fb38cb2dc7b6a55902b0a02113096da1db028042

SHA256
a1a5199ba416241116c743cc40e308d5ccef9a95e701a5c11472487f6338877d

SHA512
72cac0bf5dbe0d5a6c0d8a247386b4534ccd10a70c5cac9c9d6177dc035128e0289dddafa9a7dd025eab00b1e8d40fee158d50619e33846021ed40e2425cbd16

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
6d4be2825f985b2c748c9b06954993ef

SHA1
3e3d815078ed1320be7187b01ef426a388effe14

SHA256
4d2732bf43d1223d53a1545ce81081f02cc6299a11f9986a5e1332f1f13eeb86

SHA512
a667a1ca5118d5c403982f2791de816c67e4d509ad139dbe7baf3270985da3a405c2bcc5cda7e0eb76500283ff47ab9ebafa57e71c4ddcd650dd2b3a33cac6f3

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
6d4be2825f985b2c748c9b06954993ef

SHA1
3e3d815078ed1320be7187b01ef426a388effe14

SHA256
4d2732bf43d1223d53a1545ce81081f02cc6299a11f9986a5e1332f1f13eeb86

SHA512
a667a1ca5118d5c403982f2791de816c67e4d509ad139dbe7baf3270985da3a405c2bcc5cda7e0eb76500283ff47ab9ebafa57e71c4ddcd650dd2b3a33cac6f3

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6bfe3f28646c8a35a0dd12e3c79d793e

SHA1
f9c7f0e26738ed55d92b3f71c0a255fd9fd7e256

SHA256
b64e0b809150273554ea323e3d40bf4d323955ce80377e330daa65c6dc7ac1f3

SHA512
69737096c4cc8ac729c5bc1115a3e3825ea1c7a2e8b2e9b48b24242b3db64126a5f8bd863c74931e8fad131429d31e421a013b4572505beff2589dee6366d9e7

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
6bfe3f28646c8a35a0dd12e3c79d793e

SHA1
f9c7f0e26738ed55d92b3f71c0a255fd9fd7e256

SHA256
b64e0b809150273554ea323e3d40bf4d323955ce80377e330daa65c6dc7ac1f3

SHA512
69737096c4cc8ac729c5bc1115a3e3825ea1c7a2e8b2e9b48b24242b3db64126a5f8bd863c74931e8fad131429d31e421a013b4572505beff2589dee6366d9e7

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
6f72d50ce344ef9da2a88150ff122386

SHA1
a5f9d83abd8e55ff84a4f6012a77394aa95ca95b

SHA256
87d91cd53ecf1b08a1d1c1f7502f64aced48a027814004fcaafeee3f9df702e2

SHA512
10ac66ec5817763440dbaefebf6a523ae76d07f85834d9acfd28df669b8f4d03d68ca7fcaa058ec0bcb5b6b1faeb5f64b09501c4907b8d60f0b06043ebc9ee40

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
6f72d50ce344ef9da2a88150ff122386

SHA1
a5f9d83abd8e55ff84a4f6012a77394aa95ca95b

SHA256
87d91cd53ecf1b08a1d1c1f7502f64aced48a027814004fcaafeee3f9df702e2

SHA512
10ac66ec5817763440dbaefebf6a523ae76d07f85834d9acfd28df669b8f4d03d68ca7fcaa058ec0bcb5b6b1faeb5f64b09501c4907b8d60f0b06043ebc9ee40

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
554ed9839409422463d11768baa90bdd

SHA1
f57e28021b463169815c271fca2c9f4fa6525327

SHA256
9b9fb77b5b124dcd966dbd239e6d8d8657eba735a392bb6cf984b84860e8143f

SHA512
d2ae505805b8f62f7f4752e365a5d7cd51f99cb281058d509f931a23e1fb72ef1852e398dc5cea9dcefe9a4ad41ac4f5037369985c42c7a67b158068b0fe267c

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
554ed9839409422463d11768baa90bdd

SHA1
f57e28021b463169815c271fca2c9f4fa6525327

SHA256
9b9fb77b5b124dcd966dbd239e6d8d8657eba735a392bb6cf984b84860e8143f

SHA512
d2ae505805b8f62f7f4752e365a5d7cd51f99cb281058d509f931a23e1fb72ef1852e398dc5cea9dcefe9a4ad41ac4f5037369985c42c7a67b158068b0fe267c

Download Submit
C:\Program Files\Common Files\System\ado\update.exe

Filesize
72KB

MD5
2dc51445fe0ebf4e935b0ea5df126a86

SHA1
d7125f525e94fe6d24510cb8d4d5c89a7454d807

SHA256
80c49da9856d3d7d8e5e34d5bdb7e6aee73462eb7c1fc2bd07ac3471af322fce

SHA512
cdcd8ce353b7603d8358d0d0f9f9b4c603e56baf7b20f95f2f68dd8cf2cb77dc394a6e23db46ee198df45012ea7a1e3a52a7c7218e874a28f623b1e2705ddd4e

Download Submit
C:\Program Files\Common Files\System\ado\update.exe

Filesize
72KB

MD5
2dc51445fe0ebf4e935b0ea5df126a86

SHA1
d7125f525e94fe6d24510cb8d4d5c89a7454d807

SHA256
80c49da9856d3d7d8e5e34d5bdb7e6aee73462eb7c1fc2bd07ac3471af322fce

SHA512
cdcd8ce353b7603d8358d0d0f9f9b4c603e56baf7b20f95f2f68dd8cf2cb77dc394a6e23db46ee198df45012ea7a1e3a52a7c7218e874a28f623b1e2705ddd4e

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
554ed9839409422463d11768baa90bdd

SHA1
f57e28021b463169815c271fca2c9f4fa6525327

SHA256
9b9fb77b5b124dcd966dbd239e6d8d8657eba735a392bb6cf984b84860e8143f

SHA512
d2ae505805b8f62f7f4752e365a5d7cd51f99cb281058d509f931a23e1fb72ef1852e398dc5cea9dcefe9a4ad41ac4f5037369985c42c7a67b158068b0fe267c

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
554ed9839409422463d11768baa90bdd

SHA1
f57e28021b463169815c271fca2c9f4fa6525327

SHA256
9b9fb77b5b124dcd966dbd239e6d8d8657eba735a392bb6cf984b84860e8143f

SHA512
d2ae505805b8f62f7f4752e365a5d7cd51f99cb281058d509f931a23e1fb72ef1852e398dc5cea9dcefe9a4ad41ac4f5037369985c42c7a67b158068b0fe267c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
396f04d98e0306467afdce708c5661ac

SHA1
c3dd00d89efb2845b1b9075fb975983978fb359d

SHA256
28f2f74b590cbaedf8d64fbed1a715e40e1dc4323b813d1cbdc1fc3c0d680365

SHA512
6c6f7f4a65f24a8eaa7f39f09619dbfee0b13b5070e3f3c230d682ce955c591a74e27ba9977ada44e163f726a4f054ada5fb2e45836a34baf8d6f47b8fd6b5e7

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
396f04d98e0306467afdce708c5661ac

SHA1
c3dd00d89efb2845b1b9075fb975983978fb359d

SHA256
28f2f74b590cbaedf8d64fbed1a715e40e1dc4323b813d1cbdc1fc3c0d680365

SHA512
6c6f7f4a65f24a8eaa7f39f09619dbfee0b13b5070e3f3c230d682ce955c591a74e27ba9977ada44e163f726a4f054ada5fb2e45836a34baf8d6f47b8fd6b5e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
8be2542745814098f63ac46ec502af62

SHA1
31fbe7683afa64647646168e6ab56aa7d41bc8ab

SHA256
0b76115528d1446fa67c7a6fcf01cde5289aff647033ece39fe4a01e20f59eac

SHA512
71003c67b092452311ddad1806bbd31896e0c43594ef6881c54db04d8293dbc89da92fabf93418a23c91c674bb1deba89c5ab0d16865d656b119a9b6f3694593

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
8be2542745814098f63ac46ec502af62

SHA1
31fbe7683afa64647646168e6ab56aa7d41bc8ab

SHA256
0b76115528d1446fa67c7a6fcf01cde5289aff647033ece39fe4a01e20f59eac

SHA512
71003c67b092452311ddad1806bbd31896e0c43594ef6881c54db04d8293dbc89da92fabf93418a23c91c674bb1deba89c5ab0d16865d656b119a9b6f3694593

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
ebbe785bbf37a770f5c42fb42790d0a2

SHA1
d9dfeb7729ae0de30e4e17569d523ff7da40c732

SHA256
c940413b32a7c16f32a43016c4f56d0d87b92229439b0a3e623cba8d2962332c

SHA512
bb048926ea3f7559ec42b8325d485d2f33fb32eff72a91a392a120674d1180cd339bbc77abd6769888295eb39ff1d7169019179c1fd56fe1f6cf86822c8e06ba

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
72KB

MD5
ebbe785bbf37a770f5c42fb42790d0a2

SHA1
d9dfeb7729ae0de30e4e17569d523ff7da40c732

SHA256
c940413b32a7c16f32a43016c4f56d0d87b92229439b0a3e623cba8d2962332c

SHA512
bb048926ea3f7559ec42b8325d485d2f33fb32eff72a91a392a120674d1180cd339bbc77abd6769888295eb39ff1d7169019179c1fd56fe1f6cf86822c8e06ba

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
435363a536f187de06578c1ffd62b9cc

SHA1
134b44387f738a8408c190cadf135ec668088b65

SHA256
bf2303ce2a5c582a8290ad798fa250d120f4b9c5cbf9863f4d396680da596d72

SHA512
ba4ad8f924186b22df77190b29bc170a8864e415b5726c8ccf0ec914522f2af3a5c44b9988499c8bc30d2c7a819a86e129c69558cdd2133767b40e6bfa7bb04f

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe

Filesize
72KB

MD5
435363a536f187de06578c1ffd62b9cc

SHA1
134b44387f738a8408c190cadf135ec668088b65

SHA256
bf2303ce2a5c582a8290ad798fa250d120f4b9c5cbf9863f4d396680da596d72

SHA512
ba4ad8f924186b22df77190b29bc170a8864e415b5726c8ccf0ec914522f2af3a5c44b9988499c8bc30d2c7a819a86e129c69558cdd2133767b40e6bfa7bb04f

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
6f72d50ce344ef9da2a88150ff122386

SHA1
a5f9d83abd8e55ff84a4f6012a77394aa95ca95b

SHA256
87d91cd53ecf1b08a1d1c1f7502f64aced48a027814004fcaafeee3f9df702e2

SHA512
10ac66ec5817763440dbaefebf6a523ae76d07f85834d9acfd28df669b8f4d03d68ca7fcaa058ec0bcb5b6b1faeb5f64b09501c4907b8d60f0b06043ebc9ee40

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
6f72d50ce344ef9da2a88150ff122386

SHA1
a5f9d83abd8e55ff84a4f6012a77394aa95ca95b

SHA256
87d91cd53ecf1b08a1d1c1f7502f64aced48a027814004fcaafeee3f9df702e2

SHA512
10ac66ec5817763440dbaefebf6a523ae76d07f85834d9acfd28df669b8f4d03d68ca7fcaa058ec0bcb5b6b1faeb5f64b09501c4907b8d60f0b06043ebc9ee40

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
e2e783e9c14d5c8df9a7cb791f5f5e1b

SHA1
16fb5b36a4f438ed6d53c5956b8bda1455b09739

SHA256
b1a46b6f6aeccc4e832ffe7781a959e774f1c6018b9e1e55c94381e459b7188b

SHA512
80917d07e9cfaabdc74f9ca6e1d732b5493d32fd710e1cd3d4d27c6d9a58cb163f9883872bbe7b231bbafeb29a0c3eb05095385e6fe36dd37e51432c347ffba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
e2e783e9c14d5c8df9a7cb791f5f5e1b

SHA1
16fb5b36a4f438ed6d53c5956b8bda1455b09739

SHA256
b1a46b6f6aeccc4e832ffe7781a959e774f1c6018b9e1e55c94381e459b7188b

SHA512
80917d07e9cfaabdc74f9ca6e1d732b5493d32fd710e1cd3d4d27c6d9a58cb163f9883872bbe7b231bbafeb29a0c3eb05095385e6fe36dd37e51432c347ffba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
8be2542745814098f63ac46ec502af62

SHA1
31fbe7683afa64647646168e6ab56aa7d41bc8ab

SHA256
0b76115528d1446fa67c7a6fcf01cde5289aff647033ece39fe4a01e20f59eac

SHA512
71003c67b092452311ddad1806bbd31896e0c43594ef6881c54db04d8293dbc89da92fabf93418a23c91c674bb1deba89c5ab0d16865d656b119a9b6f3694593

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
8be2542745814098f63ac46ec502af62

SHA1
31fbe7683afa64647646168e6ab56aa7d41bc8ab

SHA256
0b76115528d1446fa67c7a6fcf01cde5289aff647033ece39fe4a01e20f59eac

SHA512
71003c67b092452311ddad1806bbd31896e0c43594ef6881c54db04d8293dbc89da92fabf93418a23c91c674bb1deba89c5ab0d16865d656b119a9b6f3694593

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e2e783e9c14d5c8df9a7cb791f5f5e1b

SHA1
16fb5b36a4f438ed6d53c5956b8bda1455b09739

SHA256
b1a46b6f6aeccc4e832ffe7781a959e774f1c6018b9e1e55c94381e459b7188b

SHA512
80917d07e9cfaabdc74f9ca6e1d732b5493d32fd710e1cd3d4d27c6d9a58cb163f9883872bbe7b231bbafeb29a0c3eb05095385e6fe36dd37e51432c347ffba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e2e783e9c14d5c8df9a7cb791f5f5e1b

SHA1
16fb5b36a4f438ed6d53c5956b8bda1455b09739

SHA256
b1a46b6f6aeccc4e832ffe7781a959e774f1c6018b9e1e55c94381e459b7188b

SHA512
80917d07e9cfaabdc74f9ca6e1d732b5493d32fd710e1cd3d4d27c6d9a58cb163f9883872bbe7b231bbafeb29a0c3eb05095385e6fe36dd37e51432c347ffba2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
070ce1b61985c3479a7f7b11d1f1e2ee

SHA1
14ffa5acb3bdbbb64914fada59af14e72b9680bc

SHA256
ec63f52f870fc452deffa484f35bed1d2af4a1a6a6564c09fb2ef44583e70851

SHA512
5ade22863aefe1356a415388364fd8c96339530d57699cb1be24667559ca304c6d6ef2d1bc9d39cce26173d92252b7e294f6f953d5edd7d1f2208efa4761499a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
070ce1b61985c3479a7f7b11d1f1e2ee

SHA1
14ffa5acb3bdbbb64914fada59af14e72b9680bc

SHA256
ec63f52f870fc452deffa484f35bed1d2af4a1a6a6564c09fb2ef44583e70851

SHA512
5ade22863aefe1356a415388364fd8c96339530d57699cb1be24667559ca304c6d6ef2d1bc9d39cce26173d92252b7e294f6f953d5edd7d1f2208efa4761499a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
070ce1b61985c3479a7f7b11d1f1e2ee

SHA1
14ffa5acb3bdbbb64914fada59af14e72b9680bc

SHA256
ec63f52f870fc452deffa484f35bed1d2af4a1a6a6564c09fb2ef44583e70851

SHA512
5ade22863aefe1356a415388364fd8c96339530d57699cb1be24667559ca304c6d6ef2d1bc9d39cce26173d92252b7e294f6f953d5edd7d1f2208efa4761499a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
070ce1b61985c3479a7f7b11d1f1e2ee

SHA1
14ffa5acb3bdbbb64914fada59af14e72b9680bc

SHA256
ec63f52f870fc452deffa484f35bed1d2af4a1a6a6564c09fb2ef44583e70851

SHA512
5ade22863aefe1356a415388364fd8c96339530d57699cb1be24667559ca304c6d6ef2d1bc9d39cce26173d92252b7e294f6f953d5edd7d1f2208efa4761499a

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
2dd1752b9d723201c38f7ff35d4cf653

SHA1
6bbd28ff2f840b8ad3e32eca1cb1366ac2560d1a

SHA256
49f0edc295bf11e8791e994d05f1f463bc5b60d7c382ac4440b7a95e2471479b

SHA512
a572e002088289609d9f90748cb6927d19c6ee25e3f3b437975dcc4f4f5409f58b78722738dfb97aa00a892678ff97d2fbea86da6fb55b111945271795e07e25

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
2dd1752b9d723201c38f7ff35d4cf653

SHA1
6bbd28ff2f840b8ad3e32eca1cb1366ac2560d1a

SHA256
49f0edc295bf11e8791e994d05f1f463bc5b60d7c382ac4440b7a95e2471479b

SHA512
a572e002088289609d9f90748cb6927d19c6ee25e3f3b437975dcc4f4f5409f58b78722738dfb97aa00a892678ff97d2fbea86da6fb55b111945271795e07e25

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
359cdc6ced92db70668acb0bd1bcf0b0

SHA1
61911ff4864447504edb4f67c9ffbbf21447704e

SHA256
19aa7f79097b783b52fb1ea61c7a773d0ad9d8cd7d2cd2e9f9de9b288fdd3fca

SHA512
a71a0768b7eb96864b9849f29673ca18093095ce466d4ebd2a1448d9b96f43685d4956e8e4c63d11ccb7fe6ac67d70ce70975c214362575631ce5f0b68fea928

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
359cdc6ced92db70668acb0bd1bcf0b0

SHA1
61911ff4864447504edb4f67c9ffbbf21447704e

SHA256
19aa7f79097b783b52fb1ea61c7a773d0ad9d8cd7d2cd2e9f9de9b288fdd3fca

SHA512
a71a0768b7eb96864b9849f29673ca18093095ce466d4ebd2a1448d9b96f43685d4956e8e4c63d11ccb7fe6ac67d70ce70975c214362575631ce5f0b68fea928

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
9d20d322acc5f9a38e1bfe2ac6e95ba2

SHA1
db6c985940906a4e45651402f1329327cbe5794e

SHA256
0176d6728101417e176c9e427faa3b52164d1152c1ad611d2fdd92b214cc49e6

SHA512
ffb6b9c10fb91e93ab2b1b70b1ce4922bc1ffe2a0c0796007a6fd25ced369f74d9d6784e7a171a3c535e2d109afad9d7dc661604a541a787f839945814b374a4

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
9d20d322acc5f9a38e1bfe2ac6e95ba2

SHA1
db6c985940906a4e45651402f1329327cbe5794e

SHA256
0176d6728101417e176c9e427faa3b52164d1152c1ad611d2fdd92b214cc49e6

SHA512
ffb6b9c10fb91e93ab2b1b70b1ce4922bc1ffe2a0c0796007a6fd25ced369f74d9d6784e7a171a3c535e2d109afad9d7dc661604a541a787f839945814b374a4

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
296b9fffdd0c8c866f90e437e6f7cd9c

SHA1
6f0252c29e78eb41f15bb93be53197c3cc8a93ef

SHA256
e6cf012d161d53784ca9d37f6739ca8728f35a4494384594f30c115368235b64

SHA512
4eea68e7feb3713d946354c03280bdfb5d7a3d54119635eb36c6bd298904529e0721dcabef40a50894d1678492f93d7b6c414d76c0121e24fef41d8b4281cbd2

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
296b9fffdd0c8c866f90e437e6f7cd9c

SHA1
6f0252c29e78eb41f15bb93be53197c3cc8a93ef

SHA256
e6cf012d161d53784ca9d37f6739ca8728f35a4494384594f30c115368235b64

SHA512
4eea68e7feb3713d946354c03280bdfb5d7a3d54119635eb36c6bd298904529e0721dcabef40a50894d1678492f93d7b6c414d76c0121e24fef41d8b4281cbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4050964573\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\4050964573\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\System Restore.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
5bb1752047b11488ae5d1de911ad7b17

SHA1
5eead66b8b3a6a3e53317e921fbc9c08e887f963

SHA256
4404613040e7f44e606e12d71565b09e748cc568905ce02efcc2bec62fe1b02f

SHA512
8a2a350d2ec08af463903b6b7514aad483f3bfab94db711953727a3f952757a95fbb63ac48245057cd0cea92beffd620cea8b56f286c8dea90f8876d56ef1743

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e39c7ec58d9fdb2cf7329cc7a88875d9

SHA1
dddd9fa342cc275fba484b6c12fb161a0d145b1f

SHA256
1f2fb78f2079794ac588ad281ab603d05085ba730e29c87de9c58b04bd98f13c

SHA512
8034edfc80f12b7acd509ef8d00ecad3e6105889b1171425dac41c675273c5dccd0851220eb9fc63a92a5a24b1942d2cb67d6a51c4a3b1a555508309a1d10fbe

Download Submit
C:\backup.exe

Filesize
72KB

MD5
e39c7ec58d9fdb2cf7329cc7a88875d9

SHA1
dddd9fa342cc275fba484b6c12fb161a0d145b1f

SHA256
1f2fb78f2079794ac588ad281ab603d05085ba730e29c87de9c58b04bd98f13c

SHA512
8034edfc80f12b7acd509ef8d00ecad3e6105889b1171425dac41c675273c5dccd0851220eb9fc63a92a5a24b1942d2cb67d6a51c4a3b1a555508309a1d10fbe

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
296b9fffdd0c8c866f90e437e6f7cd9c

SHA1
6f0252c29e78eb41f15bb93be53197c3cc8a93ef

SHA256
e6cf012d161d53784ca9d37f6739ca8728f35a4494384594f30c115368235b64

SHA512
4eea68e7feb3713d946354c03280bdfb5d7a3d54119635eb36c6bd298904529e0721dcabef40a50894d1678492f93d7b6c414d76c0121e24fef41d8b4281cbd2

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
296b9fffdd0c8c866f90e437e6f7cd9c

SHA1
6f0252c29e78eb41f15bb93be53197c3cc8a93ef

SHA256
e6cf012d161d53784ca9d37f6739ca8728f35a4494384594f30c115368235b64

SHA512
4eea68e7feb3713d946354c03280bdfb5d7a3d54119635eb36c6bd298904529e0721dcabef40a50894d1678492f93d7b6c414d76c0121e24fef41d8b4281cbd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads