0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09

Analysis

max time kernel
217s
max time network
242s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe
Size

72KB
MD5

03c3ad04a13baa254b5b37148e6991c6
SHA1

d6870210dc749833edea434d5c0f5dd48a2a4451
SHA256

0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09
SHA512

0c6209c246d2d7f1bd979bdf3ed88f35eaa7dbeeaa0e1a818901e2d3ce48fd99188022782bc9f0d18743570a9be04f7e582f8085e7e710a7e59e6033dd88bfb4
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf26:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPO

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1788	backup.exe
4856	backup.exe
3244	backup.exe
2824	backup.exe
1244	backup.exe
3908	System Restore.exe
4912	backup.exe
1676	backup.exe
1276	backup.exe
4672	update.exe
3856	backup.exe
5044	backup.exe
2612	backup.exe
2300	backup.exe
5048	backup.exe
2912	backup.exe
1916	backup.exe
2832	backup.exe
2380	backup.exe
4880	backup.exe
632	backup.exe
4704	backup.exe
2284	backup.exe
1028	backup.exe
1040	backup.exe
4964	data.exe
2560	backup.exe
2216	backup.exe
4944	backup.exe
2496	backup.exe
440	backup.exe
4600	update.exe
1616	backup.exe
1968	backup.exe
836	backup.exe
3028	System Restore.exe
4308	backup.exe
4800	backup.exe
1552	backup.exe
2100	backup.exe
3640	backup.exe
2564	backup.exe
2244	data.exe
4196	backup.exe
2396	backup.exe
4580	backup.exe
3376	backup.exe
2628	backup.exe
2512	backup.exe
1276	backup.exe
3392	backup.exe
4340	backup.exe
5112	backup.exe
3456	backup.exe
4280	backup.exe
5048	backup.exe
364	backup.exe
2640	backup.exe
2520	backup.exe
976	backup.exe
1484	backup.exe
2732	System Restore.exe
1244	backup.exe
4808	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe	update.exe
File opened for modification	C:\Program Files\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe	update.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\data.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	backup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe
1788	backup.exe
4856	backup.exe
3244	backup.exe
2824	backup.exe
1244	backup.exe
3908	System Restore.exe
4912	backup.exe
1676	backup.exe
1276	backup.exe
4672	update.exe
3856	backup.exe
5044	backup.exe
2612	backup.exe
2300	backup.exe
5048	backup.exe
2912	backup.exe
1916	backup.exe
2832	backup.exe
2380	backup.exe
4880	backup.exe
632	backup.exe
4704	backup.exe
2284	backup.exe
1028	backup.exe
1040	backup.exe
4964	data.exe
2560	backup.exe
2216	backup.exe
4944	backup.exe
2496	backup.exe
4600	update.exe
1968	backup.exe
440	backup.exe
1616	backup.exe
836	backup.exe
3028	System Restore.exe
1552	backup.exe
4308	backup.exe
4800	backup.exe
2100	backup.exe
2564	backup.exe
3640	backup.exe
2244	data.exe
4196	backup.exe
2396	backup.exe
3376	backup.exe
4580	backup.exe
2628	backup.exe
2512	backup.exe
1276	backup.exe
3392	backup.exe
3456	backup.exe
5112	backup.exe
4340	backup.exe
4280	backup.exe
364	backup.exe
5048	backup.exe
2520	backup.exe
2640	backup.exe
976	backup.exe
1484	backup.exe
2732	System Restore.exe
1244	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1788	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	82
PID 308 wrote to memory of 1788	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	82
PID 308 wrote to memory of 1788	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	82
PID 308 wrote to memory of 4856	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	83
PID 308 wrote to memory of 4856	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	83
PID 308 wrote to memory of 4856	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	83
PID 308 wrote to memory of 3244	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	84
PID 308 wrote to memory of 3244	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	84
PID 308 wrote to memory of 3244	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	84
PID 1788 wrote to memory of 2824	1788	backup.exe	85
PID 1788 wrote to memory of 2824	1788	backup.exe	85
PID 1788 wrote to memory of 2824	1788	backup.exe	85
PID 308 wrote to memory of 1244	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	86
PID 308 wrote to memory of 1244	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	86
PID 308 wrote to memory of 1244	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	86
PID 2824 wrote to memory of 3908	2824	backup.exe	87
PID 2824 wrote to memory of 3908	2824	backup.exe	87
PID 2824 wrote to memory of 3908	2824	backup.exe	87
PID 308 wrote to memory of 4912	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	88
PID 308 wrote to memory of 4912	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	88
PID 308 wrote to memory of 4912	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	88
PID 2824 wrote to memory of 1676	2824	backup.exe	89
PID 2824 wrote to memory of 1676	2824	backup.exe	89
PID 2824 wrote to memory of 1676	2824	backup.exe	89
PID 308 wrote to memory of 1276	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	90
PID 308 wrote to memory of 1276	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	90
PID 308 wrote to memory of 1276	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	90
PID 2824 wrote to memory of 4672	2824	backup.exe	91
PID 2824 wrote to memory of 4672	2824	backup.exe	91
PID 2824 wrote to memory of 4672	2824	backup.exe	91
PID 308 wrote to memory of 3856	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	92
PID 308 wrote to memory of 3856	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	92
PID 308 wrote to memory of 3856	308	0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe	92
PID 4672 wrote to memory of 5044	4672	update.exe	93
PID 4672 wrote to memory of 5044	4672	update.exe	93
PID 4672 wrote to memory of 5044	4672	update.exe	93
PID 5044 wrote to memory of 2612	5044	backup.exe	94
PID 5044 wrote to memory of 2612	5044	backup.exe	94
PID 5044 wrote to memory of 2612	5044	backup.exe	94
PID 4672 wrote to memory of 2300	4672	update.exe	95
PID 4672 wrote to memory of 2300	4672	update.exe	95
PID 4672 wrote to memory of 2300	4672	update.exe	95
PID 2300 wrote to memory of 5048	2300	backup.exe	96
PID 2300 wrote to memory of 5048	2300	backup.exe	96
PID 2300 wrote to memory of 5048	2300	backup.exe	96
PID 2300 wrote to memory of 2912	2300	backup.exe	97
PID 2300 wrote to memory of 2912	2300	backup.exe	97
PID 2300 wrote to memory of 2912	2300	backup.exe	97
PID 2912 wrote to memory of 1916	2912	backup.exe	98
PID 2912 wrote to memory of 1916	2912	backup.exe	98
PID 2912 wrote to memory of 1916	2912	backup.exe	98
PID 2912 wrote to memory of 2832	2912	backup.exe	99
PID 2912 wrote to memory of 2832	2912	backup.exe	99
PID 2912 wrote to memory of 2832	2912	backup.exe	99
PID 2832 wrote to memory of 2380	2832	backup.exe	100
PID 2832 wrote to memory of 2380	2832	backup.exe	100
PID 2832 wrote to memory of 2380	2832	backup.exe	100
PID 2832 wrote to memory of 4880	2832	backup.exe	101
PID 2832 wrote to memory of 4880	2832	backup.exe	101
PID 2832 wrote to memory of 4880	2832	backup.exe	101
PID 2832 wrote to memory of 632	2832	backup.exe	102
PID 2832 wrote to memory of 632	2832	backup.exe	102
PID 2832 wrote to memory of 632	2832	backup.exe	102
PID 2832 wrote to memory of 4704	2832	backup.exe	103

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe
"C:\Users\Admin\AppData\Local\Temp\0207411f7c5df27e6039e9dff79c2bafb9d0a7846e8ff1aaafcf43d01da54f09.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\2314546252\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2314546252\backup.exe C:\Users\Admin\AppData\Local\Temp\2314546252\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\odt\System Restore.exe
      "C:\odt\System Restore.exe" C:\odt\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3908
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1676
  - - C:\Program Files\update.exe
      "C:\Program Files\update.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5048
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1916
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:632
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4964
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4944
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1616
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4800
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2396
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:364
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4860
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        System policy modification
        
        PID:5032
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4172
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:3412
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3128
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4960
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2536
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:832
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3184
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4860
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:220
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4940
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:4128
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:1140
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:828
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3668
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:5068
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3888
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:372
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:1244
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:3640
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4776
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:4076
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:1228
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:4020
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:3688
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:1496
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4544
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3964
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:1624
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:3584
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2564
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4580
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3392
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Drops file in Program Files directory
        
        PID:1180
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:2056
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:4892
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4052
        
        C:\Program Files\Common Files\microsoft shared\Stationery\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\data.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1452
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4024
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2396
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1412
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Program Files\Common Files\microsoft shared\VC\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\update.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:1320
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:4192
        
        C:\Program Files\Common Files\microsoft shared\VSTO\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\System Restore.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3432
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1716
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:1812
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1968
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3376
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4280
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:3480
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1336
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4816
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:5068
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3908
        
        C:\Program Files\Common Files\System\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:908
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3472
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:5048
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        System policy modification
        
        PID:3980
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:740
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2464
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:4932
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1316
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1356
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:8
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:1544
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2156
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3208
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2344
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:3964
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2496
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Google\Chrome\Application\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\System Restore.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3028
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3640
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4340
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:4724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        10⤵
        
        PID:4864
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        System policy modification
        
        PID:1364
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:840
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3668
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3032
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:668
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:2564
      - C:\Program Files\Internet Explorer\de-DE\System Restore.exe
        
        "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:3364
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:672
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1976
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:3064
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2560
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:224
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:840
      - C:\Program Files\Java\jdk1.8.0_66\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\update.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:1360
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1168
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:1096
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4816
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:3944
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:1552
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:1900
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1376
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:5064
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4760
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2068
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        
        PID:1160
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4948
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        
        PID:2708
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        System policy modification
        
        PID:2468
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        
        PID:4084
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
        9⤵
        
        PID:2632
        
        C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        
        PID:4944
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        
        PID:1080
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:3200
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:740
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1616
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:3476
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:828
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        
        PID:2888
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1700
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3176
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2968
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\System Restore.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\System Restore.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        
        PID:3116
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        
        PID:3848
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        System policy modification
        
        PID:4244
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
        9⤵
        
        PID:2132
        
        C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
        8⤵
        
        PID:2348
        
        C:\Program Files\Java\jre1.8.0_66\lib\management\System Restore.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\management\System Restore.exe" C:\Program Files\Java\jre1.8.0_66\lib\management\
        8⤵
        
        PID:1464
        
        C:\Program Files\Java\jre1.8.0_66\lib\security\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\security\update.exe" C:\Program Files\Java\jre1.8.0_66\lib\security\
        8⤵
        
        PID:756
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:1408
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4836
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:4892
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1296
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4048
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4992
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:3848
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:4308
        
        C:\Program Files\Microsoft Office\root\fre\data.exe
        
        "C:\Program Files\Microsoft Office\root\fre\data.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:4248
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1628
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        System policy modification
        
        PID:4856
        
        C:\Program Files\Microsoft Office\root\Licenses\update.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\update.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2720
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2836
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        System policy modification
        
        PID:4524
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        System policy modification
        
        PID:2068
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        
        PID:1716
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:880
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4172
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:2504
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1976
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:4708
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        System policy modification
        
        PID:4372
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:220
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:440
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4196
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:4520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        System policy modification
        
        PID:4596
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        System policy modification
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:4468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        System policy modification
        
        PID:2364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        System policy modification
        
        PID:4852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Drops file in Program Files directory
        
        PID:4828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Disables RegEdit via registry modification
        
        PID:4288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:3828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:4292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:3556
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:2564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:1200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        System policy modification
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        Drops file in Program Files directory
        
        PID:1272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        Disables RegEdit via registry modification
        
        PID:1136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        
        PID:2528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        
        PID:448
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        Disables RegEdit via registry modification
        
        PID:1072
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        System policy modification
        
        PID:1284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:3400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        System policy modification
        
        PID:2268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        
        PID:4544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:1316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:3496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        
        PID:4760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:1840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        System policy modification
        
        PID:4600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:4976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:4388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:2280
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:3976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2356
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4400
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1468
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:532
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:4900
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:1136
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3364
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1832
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        System policy modification
        
        PID:1988
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:5068
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4292
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4868
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1244
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2344
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3492
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:1328
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:2776
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:4844
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:2532
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:3432
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:3828
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        System policy modification
        
        PID:1160
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:3176
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:5096
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:676
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:4720
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2860
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1060
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4760
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1028
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4948
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:4864
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4648
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2836
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:712
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:4316
        
        C:\Users\Admin\Pictures\Camera Roll\data.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\data.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        System policy modification
        
        PID:4692
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        Drops file in Program Files directory
        
        PID:4900
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Disables RegEdit via registry modification
        
        PID:8
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1968
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        System policy modification
        
        PID:3500
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:4852
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1876
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:3928
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2216
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:1748
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3244
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4912
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
1⤵
PID:3688

C:\Users\Admin\3D Objects\backup.exe
"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
281845f7b91e6ea1cff40a90e46823d8

SHA1
ec396487c4e0b4a90bf2df0b1727f0ebd84e4ac9

SHA256
70806d7716ed15323cf13777f6e2bb6c01a4d2a5867d7e9d654bf8e8710c05a5

SHA512
800be4609cae8367339ebe7147a03eee0b3201b2c46781433fab6fdfcbe0d009aa6b05fe838971cc65eb5de1f80a3971fdd7875201317cebd71a95030a73790b

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
281845f7b91e6ea1cff40a90e46823d8

SHA1
ec396487c4e0b4a90bf2df0b1727f0ebd84e4ac9

SHA256
70806d7716ed15323cf13777f6e2bb6c01a4d2a5867d7e9d654bf8e8710c05a5

SHA512
800be4609cae8367339ebe7147a03eee0b3201b2c46781433fab6fdfcbe0d009aa6b05fe838971cc65eb5de1f80a3971fdd7875201317cebd71a95030a73790b

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
4c06d354b9772d34735cde021cb29e6f

SHA1
b4b2cdf8be6dc5215af1f81d3b5bd42221ea141e

SHA256
4b0cf34d914defcb9d28918ed0ff346e16b1630c13e3e3c90bc8b69720fe7075

SHA512
0c3cc150b7a4bf0d95c536f9ebb8786d709eb157cc5db6a196b067a534da2632e569553c30c41ece29a5659080fb81335c51be2c50197438cd8bd2ab9d31905a

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
4c06d354b9772d34735cde021cb29e6f

SHA1
b4b2cdf8be6dc5215af1f81d3b5bd42221ea141e

SHA256
4b0cf34d914defcb9d28918ed0ff346e16b1630c13e3e3c90bc8b69720fe7075

SHA512
0c3cc150b7a4bf0d95c536f9ebb8786d709eb157cc5db6a196b067a534da2632e569553c30c41ece29a5659080fb81335c51be2c50197438cd8bd2ab9d31905a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
75fc0c4e390ed3171c3ee4678a4265f2

SHA1
4c768c217cde19f6f2d1495ef2577d99f2fe502c

SHA256
f8ee0a8168d7b8600f2446b602fd85a3145a240ac51be5b76a2d1a9e9dd91b6d

SHA512
58d6a8970d4e2d2ae2c960c910e33cf67cd391d004b00f5068aa737f63792e3af64abead2f9d6c51a7ab8a009958eb52b8e5a37826b27bf4f9ef903f47b52699

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
75fc0c4e390ed3171c3ee4678a4265f2

SHA1
4c768c217cde19f6f2d1495ef2577d99f2fe502c

SHA256
f8ee0a8168d7b8600f2446b602fd85a3145a240ac51be5b76a2d1a9e9dd91b6d

SHA512
58d6a8970d4e2d2ae2c960c910e33cf67cd391d004b00f5068aa737f63792e3af64abead2f9d6c51a7ab8a009958eb52b8e5a37826b27bf4f9ef903f47b52699

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e622d943865ef0a22c7b4ece8e69b05d

SHA1
b137560763e338203ed1ebc906c51fa0d2bd2917

SHA256
e1ae3b9e1e6ebca820af1fae7d6842b245861fa904e624d187e9607f6b78852d

SHA512
34f89241add7c086484265dce4a73ad47e4629b168fb23f7804323b0bc2f5d88f5ab0247a507339078009da7868a2d575b3ddf3dcacd37173384ac587cdabbbc

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
e622d943865ef0a22c7b4ece8e69b05d

SHA1
b137560763e338203ed1ebc906c51fa0d2bd2917

SHA256
e1ae3b9e1e6ebca820af1fae7d6842b245861fa904e624d187e9607f6b78852d

SHA512
34f89241add7c086484265dce4a73ad47e4629b168fb23f7804323b0bc2f5d88f5ab0247a507339078009da7868a2d575b3ddf3dcacd37173384ac587cdabbbc

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
c7d5dd1b7ee05ce9e5a8fa2c2a4e1a1e

SHA1
bcb714fa5f5c5fefc1e6e1de59c01c0005a84eb2

SHA256
a95c100559492050b11cc8710caea97b3b8bd1baa776fdc02b3f6609c2cdc61d

SHA512
a7a9b50bc922f9f9af4b116c6dc064abd987a7f06a66c7801c4cfd6a33ba52763ae12835036f5ee84716570026d6651eff540cae51d8cdca66b9591f28e1859a

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
c7d5dd1b7ee05ce9e5a8fa2c2a4e1a1e

SHA1
bcb714fa5f5c5fefc1e6e1de59c01c0005a84eb2

SHA256
a95c100559492050b11cc8710caea97b3b8bd1baa776fdc02b3f6609c2cdc61d

SHA512
a7a9b50bc922f9f9af4b116c6dc064abd987a7f06a66c7801c4cfd6a33ba52763ae12835036f5ee84716570026d6651eff540cae51d8cdca66b9591f28e1859a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e622d943865ef0a22c7b4ece8e69b05d

SHA1
b137560763e338203ed1ebc906c51fa0d2bd2917

SHA256
e1ae3b9e1e6ebca820af1fae7d6842b245861fa904e624d187e9607f6b78852d

SHA512
34f89241add7c086484265dce4a73ad47e4629b168fb23f7804323b0bc2f5d88f5ab0247a507339078009da7868a2d575b3ddf3dcacd37173384ac587cdabbbc

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
e622d943865ef0a22c7b4ece8e69b05d

SHA1
b137560763e338203ed1ebc906c51fa0d2bd2917

SHA256
e1ae3b9e1e6ebca820af1fae7d6842b245861fa904e624d187e9607f6b78852d

SHA512
34f89241add7c086484265dce4a73ad47e4629b168fb23f7804323b0bc2f5d88f5ab0247a507339078009da7868a2d575b3ddf3dcacd37173384ac587cdabbbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
9aadceef934ee6fec081ab1763be3226

SHA1
a6c417ac2ddeb3a52f410225c4766a54e79555ad

SHA256
4fbb87455b2a05cbb940d4924a8690717763973f6f6c0ef86def8960636e29d1

SHA512
079f16b4f8f6122c68ab91a62bfe5e5f97a16b6b1f3317fcfc59485ee17c35c706ec04c84c0c6b7e7dba92aba690d4c027e6aaf53057b2a821356f5615a891ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
9aadceef934ee6fec081ab1763be3226

SHA1
a6c417ac2ddeb3a52f410225c4766a54e79555ad

SHA256
4fbb87455b2a05cbb940d4924a8690717763973f6f6c0ef86def8960636e29d1

SHA512
079f16b4f8f6122c68ab91a62bfe5e5f97a16b6b1f3317fcfc59485ee17c35c706ec04c84c0c6b7e7dba92aba690d4c027e6aaf53057b2a821356f5615a891ea

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe

Filesize
72KB

MD5
74f758a31723d5fae7818bd073a64b47

SHA1
701a46430a0580505c711e3b1f03de6d13b5e067

SHA256
40cdc16d5668e17cdcdd5d2c76980da3874eccd00ed51e12edbab03d1de4b711

SHA512
3c31de5c1afe6d66d00b20e56fea18b62448c3fdeb304ba9828dea181863e548e32b642b8c5f9ec11fc4e24172a018ae86959d0991fcf55d1063e9924fa5e695

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\update.exe

Filesize
72KB

MD5
74f758a31723d5fae7818bd073a64b47

SHA1
701a46430a0580505c711e3b1f03de6d13b5e067

SHA256
40cdc16d5668e17cdcdd5d2c76980da3874eccd00ed51e12edbab03d1de4b711

SHA512
3c31de5c1afe6d66d00b20e56fea18b62448c3fdeb304ba9828dea181863e548e32b642b8c5f9ec11fc4e24172a018ae86959d0991fcf55d1063e9924fa5e695

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
c7d5dd1b7ee05ce9e5a8fa2c2a4e1a1e

SHA1
bcb714fa5f5c5fefc1e6e1de59c01c0005a84eb2

SHA256
a95c100559492050b11cc8710caea97b3b8bd1baa776fdc02b3f6609c2cdc61d

SHA512
a7a9b50bc922f9f9af4b116c6dc064abd987a7f06a66c7801c4cfd6a33ba52763ae12835036f5ee84716570026d6651eff540cae51d8cdca66b9591f28e1859a

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
c7d5dd1b7ee05ce9e5a8fa2c2a4e1a1e

SHA1
bcb714fa5f5c5fefc1e6e1de59c01c0005a84eb2

SHA256
a95c100559492050b11cc8710caea97b3b8bd1baa776fdc02b3f6609c2cdc61d

SHA512
a7a9b50bc922f9f9af4b116c6dc064abd987a7f06a66c7801c4cfd6a33ba52763ae12835036f5ee84716570026d6651eff540cae51d8cdca66b9591f28e1859a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
d69ebb132f2751f9453d1917f46582b2

SHA1
99446fe8d27cdd2be0e28693b34fd5939906a8cc

SHA256
716c14dd9e47788f7a8baecc57c67e31ebaf551c911f49c69c048fe51ebf2fd5

SHA512
8388ec9af6cef27ac06663d0afe98c43b39cc3ab473b1095731f45567e1ee4b21cd202baa7d06614f5cf4dd1084dc4b945e271395fd2ce56b890019ddeccaf8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
d69ebb132f2751f9453d1917f46582b2

SHA1
99446fe8d27cdd2be0e28693b34fd5939906a8cc

SHA256
716c14dd9e47788f7a8baecc57c67e31ebaf551c911f49c69c048fe51ebf2fd5

SHA512
8388ec9af6cef27ac06663d0afe98c43b39cc3ab473b1095731f45567e1ee4b21cd202baa7d06614f5cf4dd1084dc4b945e271395fd2ce56b890019ddeccaf8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
9aadceef934ee6fec081ab1763be3226

SHA1
a6c417ac2ddeb3a52f410225c4766a54e79555ad

SHA256
4fbb87455b2a05cbb940d4924a8690717763973f6f6c0ef86def8960636e29d1

SHA512
079f16b4f8f6122c68ab91a62bfe5e5f97a16b6b1f3317fcfc59485ee17c35c706ec04c84c0c6b7e7dba92aba690d4c027e6aaf53057b2a821356f5615a891ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
9aadceef934ee6fec081ab1763be3226

SHA1
a6c417ac2ddeb3a52f410225c4766a54e79555ad

SHA256
4fbb87455b2a05cbb940d4924a8690717763973f6f6c0ef86def8960636e29d1

SHA512
079f16b4f8f6122c68ab91a62bfe5e5f97a16b6b1f3317fcfc59485ee17c35c706ec04c84c0c6b7e7dba92aba690d4c027e6aaf53057b2a821356f5615a891ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d69ebb132f2751f9453d1917f46582b2

SHA1
99446fe8d27cdd2be0e28693b34fd5939906a8cc

SHA256
716c14dd9e47788f7a8baecc57c67e31ebaf551c911f49c69c048fe51ebf2fd5

SHA512
8388ec9af6cef27ac06663d0afe98c43b39cc3ab473b1095731f45567e1ee4b21cd202baa7d06614f5cf4dd1084dc4b945e271395fd2ce56b890019ddeccaf8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d69ebb132f2751f9453d1917f46582b2

SHA1
99446fe8d27cdd2be0e28693b34fd5939906a8cc

SHA256
716c14dd9e47788f7a8baecc57c67e31ebaf551c911f49c69c048fe51ebf2fd5

SHA512
8388ec9af6cef27ac06663d0afe98c43b39cc3ab473b1095731f45567e1ee4b21cd202baa7d06614f5cf4dd1084dc4b945e271395fd2ce56b890019ddeccaf8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
8028af982474c9fac89fb314281216d9

SHA1
f17c2edc5e65998df7d2dad3b27a6c6a624763d8

SHA256
da945661ac8c80edb304b411eeb6b9ea03a7f5399883e25476506fe6703194b4

SHA512
ee2e4d1f877a0eae4d36c0d3fd562f298c14f60776a89ca8be493b1256c2e22a0602029067bc2d5e19938957f229c8bc0c29a9797ed3f0e893cc43ff29e634ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
8028af982474c9fac89fb314281216d9

SHA1
f17c2edc5e65998df7d2dad3b27a6c6a624763d8

SHA256
da945661ac8c80edb304b411eeb6b9ea03a7f5399883e25476506fe6703194b4

SHA512
ee2e4d1f877a0eae4d36c0d3fd562f298c14f60776a89ca8be493b1256c2e22a0602029067bc2d5e19938957f229c8bc0c29a9797ed3f0e893cc43ff29e634ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
8028af982474c9fac89fb314281216d9

SHA1
f17c2edc5e65998df7d2dad3b27a6c6a624763d8

SHA256
da945661ac8c80edb304b411eeb6b9ea03a7f5399883e25476506fe6703194b4

SHA512
ee2e4d1f877a0eae4d36c0d3fd562f298c14f60776a89ca8be493b1256c2e22a0602029067bc2d5e19938957f229c8bc0c29a9797ed3f0e893cc43ff29e634ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
8028af982474c9fac89fb314281216d9

SHA1
f17c2edc5e65998df7d2dad3b27a6c6a624763d8

SHA256
da945661ac8c80edb304b411eeb6b9ea03a7f5399883e25476506fe6703194b4

SHA512
ee2e4d1f877a0eae4d36c0d3fd562f298c14f60776a89ca8be493b1256c2e22a0602029067bc2d5e19938957f229c8bc0c29a9797ed3f0e893cc43ff29e634ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
8028af982474c9fac89fb314281216d9

SHA1
f17c2edc5e65998df7d2dad3b27a6c6a624763d8

SHA256
da945661ac8c80edb304b411eeb6b9ea03a7f5399883e25476506fe6703194b4

SHA512
ee2e4d1f877a0eae4d36c0d3fd562f298c14f60776a89ca8be493b1256c2e22a0602029067bc2d5e19938957f229c8bc0c29a9797ed3f0e893cc43ff29e634ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
8028af982474c9fac89fb314281216d9

SHA1
f17c2edc5e65998df7d2dad3b27a6c6a624763d8

SHA256
da945661ac8c80edb304b411eeb6b9ea03a7f5399883e25476506fe6703194b4

SHA512
ee2e4d1f877a0eae4d36c0d3fd562f298c14f60776a89ca8be493b1256c2e22a0602029067bc2d5e19938957f229c8bc0c29a9797ed3f0e893cc43ff29e634ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\data.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\data.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
3b445d4fec7a1a3045bc7fb5f26e18ea

SHA1
7527abd98767581a0f7f1e465fe7859b0fce4557

SHA256
e7c286caf26fd84dd4de8161aee90152a17a8041d9dce6d27ca489b7ba9f2a70

SHA512
52653307589b122cbc67367f13f2574a057be9a20285b90a87b98028c53acab8ea600e0945c3f4bd0b71078bac34d9815fd2e6aee9d4e8f254e262e14f92b972

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
3c5be1edc2c160c5482344ccb0703e98

SHA1
3a38bb4a4e095af8973080b715b785691ba5145c

SHA256
7de8b76402b51b7b5248b31799494fc1ac395da76434d29a087f747f96ed7797

SHA512
fcd6c894f43fe5aa642bade6a42576f3827c0538b77fc578e84c2473717cf765a80f144e764637f09a2a0d2095983e4037018d03e79010a75d718c9ec5e15224

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
3c5be1edc2c160c5482344ccb0703e98

SHA1
3a38bb4a4e095af8973080b715b785691ba5145c

SHA256
7de8b76402b51b7b5248b31799494fc1ac395da76434d29a087f747f96ed7797

SHA512
fcd6c894f43fe5aa642bade6a42576f3827c0538b77fc578e84c2473717cf765a80f144e764637f09a2a0d2095983e4037018d03e79010a75d718c9ec5e15224

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
dfc72f24a0b5557bec33ae2f34f4a707

SHA1
822b39252f40ffb24a1287bd13cb91e1ba5f68fd

SHA256
9603fe84986b96df2df5f3d2031663529bad4672674d63e628f18179392bc7dd

SHA512
d9067410b2e750088041198f8cfb9e8f927cb2ec851a7f175b36a61bcae0a9f84d362608aa284ce226f1844919a41bdaa2a28188287d9b4574c44f2c6b6de845

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
dfc72f24a0b5557bec33ae2f34f4a707

SHA1
822b39252f40ffb24a1287bd13cb91e1ba5f68fd

SHA256
9603fe84986b96df2df5f3d2031663529bad4672674d63e628f18179392bc7dd

SHA512
d9067410b2e750088041198f8cfb9e8f927cb2ec851a7f175b36a61bcae0a9f84d362608aa284ce226f1844919a41bdaa2a28188287d9b4574c44f2c6b6de845

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
fa84cb99e3790012b0a3c3991cf7e5f3

SHA1
101076c32cccbdbd36276b43b123fc2b81cdf513

SHA256
34be0ffc002d4fa6299a2bac83a6b6e92e1554f1e3878d472f635161d565b586

SHA512
9661328053609cfdff783734ab03e9936d8afdbc3176998585f557097ec60066b1ef0d0e9f3d4850a7ea60fd30c3c21ef6b0ab2dd90f0820e5e382d333c5fcc7

Download Submit
C:\Program Files\update.exe

Filesize
72KB

MD5
fa84cb99e3790012b0a3c3991cf7e5f3

SHA1
101076c32cccbdbd36276b43b123fc2b81cdf513

SHA256
34be0ffc002d4fa6299a2bac83a6b6e92e1554f1e3878d472f635161d565b586

SHA512
9661328053609cfdff783734ab03e9936d8afdbc3176998585f557097ec60066b1ef0d0e9f3d4850a7ea60fd30c3c21ef6b0ab2dd90f0820e5e382d333c5fcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2314546252\backup.exe

Filesize
72KB

MD5
bdf379fed422af92ec76a4f9d2365313

SHA1
619e7b8864b05d71c6206bfdf3f6f977b6d2ca3b

SHA256
1fd5e057142a32dde43fe8754c780772fa5a43f7264a47bb0579e317b1395e0c

SHA512
0ab6c747f0637d9036b9bfe7bcf641658303860f63dfc978610c4eb8359bc7c16390bf45e8ff927a796da1a696a46a69907654fa32f9dcea75e855c461b5d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2314546252\backup.exe

Filesize
72KB

MD5
bdf379fed422af92ec76a4f9d2365313

SHA1
619e7b8864b05d71c6206bfdf3f6f977b6d2ca3b

SHA256
1fd5e057142a32dde43fe8754c780772fa5a43f7264a47bb0579e317b1395e0c

SHA512
0ab6c747f0637d9036b9bfe7bcf641658303860f63dfc978610c4eb8359bc7c16390bf45e8ff927a796da1a696a46a69907654fa32f9dcea75e855c461b5d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
47d1484e726eabaf93ce6bbd70a493fa

SHA1
6d6f02a28b1da9c16f9fc12af21b37967d381ea7

SHA256
2176ad9f0b10a0415c7151e5891c521734e8bc202c13c40b7da26b085204880f

SHA512
93cded37216ed8f495e8091fe8b3421a9fd00152f70cd9cd38018b60aa909a23153d50c5a0fdf2408ed819c273b81166fc59b70102018c4d6c60b186d29100ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
47d1484e726eabaf93ce6bbd70a493fa

SHA1
6d6f02a28b1da9c16f9fc12af21b37967d381ea7

SHA256
2176ad9f0b10a0415c7151e5891c521734e8bc202c13c40b7da26b085204880f

SHA512
93cded37216ed8f495e8091fe8b3421a9fd00152f70cd9cd38018b60aa909a23153d50c5a0fdf2408ed819c273b81166fc59b70102018c4d6c60b186d29100ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
47d1484e726eabaf93ce6bbd70a493fa

SHA1
6d6f02a28b1da9c16f9fc12af21b37967d381ea7

SHA256
2176ad9f0b10a0415c7151e5891c521734e8bc202c13c40b7da26b085204880f

SHA512
93cded37216ed8f495e8091fe8b3421a9fd00152f70cd9cd38018b60aa909a23153d50c5a0fdf2408ed819c273b81166fc59b70102018c4d6c60b186d29100ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
47d1484e726eabaf93ce6bbd70a493fa

SHA1
6d6f02a28b1da9c16f9fc12af21b37967d381ea7

SHA256
2176ad9f0b10a0415c7151e5891c521734e8bc202c13c40b7da26b085204880f

SHA512
93cded37216ed8f495e8091fe8b3421a9fd00152f70cd9cd38018b60aa909a23153d50c5a0fdf2408ed819c273b81166fc59b70102018c4d6c60b186d29100ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
47d1484e726eabaf93ce6bbd70a493fa

SHA1
6d6f02a28b1da9c16f9fc12af21b37967d381ea7

SHA256
2176ad9f0b10a0415c7151e5891c521734e8bc202c13c40b7da26b085204880f

SHA512
93cded37216ed8f495e8091fe8b3421a9fd00152f70cd9cd38018b60aa909a23153d50c5a0fdf2408ed819c273b81166fc59b70102018c4d6c60b186d29100ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
47d1484e726eabaf93ce6bbd70a493fa

SHA1
6d6f02a28b1da9c16f9fc12af21b37967d381ea7

SHA256
2176ad9f0b10a0415c7151e5891c521734e8bc202c13c40b7da26b085204880f

SHA512
93cded37216ed8f495e8091fe8b3421a9fd00152f70cd9cd38018b60aa909a23153d50c5a0fdf2408ed819c273b81166fc59b70102018c4d6c60b186d29100ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
bdf379fed422af92ec76a4f9d2365313

SHA1
619e7b8864b05d71c6206bfdf3f6f977b6d2ca3b

SHA256
1fd5e057142a32dde43fe8754c780772fa5a43f7264a47bb0579e317b1395e0c

SHA512
0ab6c747f0637d9036b9bfe7bcf641658303860f63dfc978610c4eb8359bc7c16390bf45e8ff927a796da1a696a46a69907654fa32f9dcea75e855c461b5d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
bdf379fed422af92ec76a4f9d2365313

SHA1
619e7b8864b05d71c6206bfdf3f6f977b6d2ca3b

SHA256
1fd5e057142a32dde43fe8754c780772fa5a43f7264a47bb0579e317b1395e0c

SHA512
0ab6c747f0637d9036b9bfe7bcf641658303860f63dfc978610c4eb8359bc7c16390bf45e8ff927a796da1a696a46a69907654fa32f9dcea75e855c461b5d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bdf379fed422af92ec76a4f9d2365313

SHA1
619e7b8864b05d71c6206bfdf3f6f977b6d2ca3b

SHA256
1fd5e057142a32dde43fe8754c780772fa5a43f7264a47bb0579e317b1395e0c

SHA512
0ab6c747f0637d9036b9bfe7bcf641658303860f63dfc978610c4eb8359bc7c16390bf45e8ff927a796da1a696a46a69907654fa32f9dcea75e855c461b5d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
bdf379fed422af92ec76a4f9d2365313

SHA1
619e7b8864b05d71c6206bfdf3f6f977b6d2ca3b

SHA256
1fd5e057142a32dde43fe8754c780772fa5a43f7264a47bb0579e317b1395e0c

SHA512
0ab6c747f0637d9036b9bfe7bcf641658303860f63dfc978610c4eb8359bc7c16390bf45e8ff927a796da1a696a46a69907654fa32f9dcea75e855c461b5d8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
20a2289dfa06984aa20eaf5c0c42e34a

SHA1
a625071fb6b6b5555165d3a2f103926a74113a48

SHA256
8bf3bc2446d27535b9163c56866c033cc9fec8dcfb36fd1f106b5b1db19fc3c7

SHA512
15552ff851c9ffcb7344238aa855606ad7dbca40077f79bb489ed4cc4ad400dd67a3ebd4efb5aa933a3ebfb8ebe54de962690ef5fe264f64eecd6b69fadd6ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
20a2289dfa06984aa20eaf5c0c42e34a

SHA1
a625071fb6b6b5555165d3a2f103926a74113a48

SHA256
8bf3bc2446d27535b9163c56866c033cc9fec8dcfb36fd1f106b5b1db19fc3c7

SHA512
15552ff851c9ffcb7344238aa855606ad7dbca40077f79bb489ed4cc4ad400dd67a3ebd4efb5aa933a3ebfb8ebe54de962690ef5fe264f64eecd6b69fadd6ce2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
de8f45b620c36ff603281f754fbf5211

SHA1
89a6a23562fc2cfa6448f72d870f3ea920375712

SHA256
9b1c0eb2cbb32336fba927467da61721e1289d842464f84a09aa47732dbe32e4

SHA512
9d6dc461dbb48432dd971073578fefa50a6ade93b165f52c4b2d9720ad6f08234e6a525fd897ecbef8c3844a8d535af3f7f5a1fa6b50b5a04daa7952c467297c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
de8f45b620c36ff603281f754fbf5211

SHA1
89a6a23562fc2cfa6448f72d870f3ea920375712

SHA256
9b1c0eb2cbb32336fba927467da61721e1289d842464f84a09aa47732dbe32e4

SHA512
9d6dc461dbb48432dd971073578fefa50a6ade93b165f52c4b2d9720ad6f08234e6a525fd897ecbef8c3844a8d535af3f7f5a1fa6b50b5a04daa7952c467297c

Download Submit
C:\odt\System Restore.exe

Filesize
72KB

MD5
281845f7b91e6ea1cff40a90e46823d8

SHA1
ec396487c4e0b4a90bf2df0b1727f0ebd84e4ac9

SHA256
70806d7716ed15323cf13777f6e2bb6c01a4d2a5867d7e9d654bf8e8710c05a5

SHA512
800be4609cae8367339ebe7147a03eee0b3201b2c46781433fab6fdfcbe0d009aa6b05fe838971cc65eb5de1f80a3971fdd7875201317cebd71a95030a73790b

Download Submit
C:\odt\System Restore.exe

Filesize
72KB

MD5
281845f7b91e6ea1cff40a90e46823d8

SHA1
ec396487c4e0b4a90bf2df0b1727f0ebd84e4ac9

SHA256
70806d7716ed15323cf13777f6e2bb6c01a4d2a5867d7e9d654bf8e8710c05a5

SHA512
800be4609cae8367339ebe7147a03eee0b3201b2c46781433fab6fdfcbe0d009aa6b05fe838971cc65eb5de1f80a3971fdd7875201317cebd71a95030a73790b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads