a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5

Analysis

max time kernel
191s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe
Size

72KB
MD5

0679afb5dee70927aba930dc1899e776
SHA1

d95dc0fa4e60eb1dcbb0dc97eddea63da7563277
SHA256

a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5
SHA512

9cd420b699eefd7833ac08d77fbdc6a453c080745619dbdea407d48fb607e5c9b90b00ab301df1e756d4af1e4cf9215bf6b2208c55f755f241f0a2406d8c7b2d
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyvUow:HeT7BVwxfvqguKRFAbP

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
4768	backup.exe
4088	backup.exe
2432	backup.exe
4960	backup.exe
4940	backup.exe
1744	backup.exe
1808	backup.exe
1620	backup.exe
1456	backup.exe
1452	System Restore.exe
2716	backup.exe
2536	backup.exe
5056	backup.exe
2380	backup.exe
232	backup.exe
1304	backup.exe
1320	backup.exe
3508	backup.exe
3428	backup.exe
3536	backup.exe
2836	backup.exe
5100	backup.exe
4996	System Restore.exe
1812	backup.exe
3748	backup.exe
2728	backup.exe
4984	data.exe
1540	backup.exe
1976	data.exe
2496	backup.exe
2352	backup.exe
4116	backup.exe
3908	backup.exe
4468	backup.exe
3568	backup.exe
1052	backup.exe
3004	backup.exe
1140	backup.exe
1632	backup.exe
1612	backup.exe
1968	backup.exe
2724	backup.exe
3980	backup.exe
1624	backup.exe
1836	backup.exe
4924	backup.exe
4568	backup.exe
2292	backup.exe
3984	backup.exe
3048	backup.exe
1224	backup.exe
3912	backup.exe
4752	backup.exe
2692	backup.exe
3944	backup.exe
4072	backup.exe
4868	update.exe
860	System Restore.exe
4948	backup.exe
4820	backup.exe
1916	backup.exe
4120	update.exe
1192	update.exe
2476	backup.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	data.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\data.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\data.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\System Restore.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe
4768	backup.exe
4088	backup.exe
2432	backup.exe
4960	backup.exe
4940	backup.exe
1744	backup.exe
1808	backup.exe
1620	backup.exe
1456	backup.exe
1452	System Restore.exe
2716	backup.exe
2536	backup.exe
5056	backup.exe
2380	backup.exe
232	backup.exe
1304	backup.exe
1320	backup.exe
3508	backup.exe
3428	backup.exe
3536	backup.exe
2836	backup.exe
5100	backup.exe
4996	System Restore.exe
1812	backup.exe
3748	backup.exe
2728	backup.exe
4984	data.exe
1540	backup.exe
1976	data.exe
2352	backup.exe
2496	backup.exe
3908	backup.exe
4116	backup.exe
4468	backup.exe
3568	backup.exe
3004	backup.exe
1052	backup.exe
1140	backup.exe
1632	backup.exe
1612	backup.exe
1968	backup.exe
2724	backup.exe
3980	backup.exe
1624	backup.exe
1836	backup.exe
4924	backup.exe
4568	backup.exe
2292	backup.exe
3984	backup.exe
3048	backup.exe
1224	backup.exe
3912	backup.exe
4752	backup.exe
2692	backup.exe
3944	backup.exe
4072	backup.exe
4868	update.exe
860	System Restore.exe
4948	backup.exe
4820	backup.exe
1916	backup.exe
4120	update.exe
1192	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4768	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	80
PID 1948 wrote to memory of 4768	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	80
PID 1948 wrote to memory of 4768	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	80
PID 1948 wrote to memory of 4088	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	81
PID 1948 wrote to memory of 4088	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	81
PID 1948 wrote to memory of 4088	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	81
PID 1948 wrote to memory of 2432	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	82
PID 1948 wrote to memory of 2432	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	82
PID 1948 wrote to memory of 2432	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	82
PID 4768 wrote to memory of 4960	4768	backup.exe	83
PID 4768 wrote to memory of 4960	4768	backup.exe	83
PID 4768 wrote to memory of 4960	4768	backup.exe	83
PID 1948 wrote to memory of 4940	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	84
PID 1948 wrote to memory of 4940	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	84
PID 1948 wrote to memory of 4940	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	84
PID 1948 wrote to memory of 1744	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	85
PID 1948 wrote to memory of 1744	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	85
PID 1948 wrote to memory of 1744	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	85
PID 4960 wrote to memory of 1808	4960	backup.exe	86
PID 4960 wrote to memory of 1808	4960	backup.exe	86
PID 4960 wrote to memory of 1808	4960	backup.exe	86
PID 1948 wrote to memory of 1620	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	87
PID 1948 wrote to memory of 1620	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	87
PID 1948 wrote to memory of 1620	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	87
PID 1948 wrote to memory of 1452	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	88
PID 1948 wrote to memory of 1452	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	88
PID 1948 wrote to memory of 1452	1948	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe	88
PID 4960 wrote to memory of 1456	4960	backup.exe	89
PID 4960 wrote to memory of 1456	4960	backup.exe	89
PID 4960 wrote to memory of 1456	4960	backup.exe	89
PID 4960 wrote to memory of 2716	4960	backup.exe	90
PID 4960 wrote to memory of 2716	4960	backup.exe	90
PID 4960 wrote to memory of 2716	4960	backup.exe	90
PID 2716 wrote to memory of 2536	2716	backup.exe	91
PID 2716 wrote to memory of 2536	2716	backup.exe	91
PID 2716 wrote to memory of 2536	2716	backup.exe	91
PID 2536 wrote to memory of 5056	2536	backup.exe	92
PID 2536 wrote to memory of 5056	2536	backup.exe	92
PID 2536 wrote to memory of 5056	2536	backup.exe	92
PID 2716 wrote to memory of 2380	2716	backup.exe	93
PID 2716 wrote to memory of 2380	2716	backup.exe	93
PID 2716 wrote to memory of 2380	2716	backup.exe	93
PID 2380 wrote to memory of 232	2380	backup.exe	94
PID 2380 wrote to memory of 232	2380	backup.exe	94
PID 2380 wrote to memory of 232	2380	backup.exe	94
PID 2380 wrote to memory of 1304	2380	backup.exe	95
PID 2380 wrote to memory of 1304	2380	backup.exe	95
PID 2380 wrote to memory of 1304	2380	backup.exe	95
PID 1304 wrote to memory of 1320	1304	backup.exe	96
PID 1304 wrote to memory of 1320	1304	backup.exe	96
PID 1304 wrote to memory of 1320	1304	backup.exe	96
PID 2716 wrote to memory of 3508	2716	backup.exe	100
PID 2716 wrote to memory of 3508	2716	backup.exe	100
PID 2716 wrote to memory of 3508	2716	backup.exe	100
PID 1304 wrote to memory of 3428	1304	backup.exe	97
PID 1304 wrote to memory of 3428	1304	backup.exe	97
PID 1304 wrote to memory of 3428	1304	backup.exe	97
PID 4960 wrote to memory of 2836	4960	backup.exe	98
PID 4960 wrote to memory of 2836	4960	backup.exe	98
PID 4960 wrote to memory of 2836	4960	backup.exe	98
PID 2380 wrote to memory of 3536	2380	backup.exe	99
PID 2380 wrote to memory of 3536	2380	backup.exe	99
PID 2380 wrote to memory of 3536	2380	backup.exe	99
PID 3508 wrote to memory of 5100	3508	backup.exe	101

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe

C:\Users\Admin\AppData\Local\Temp\a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe
"C:\Users\Admin\AppData\Local\Temp\a4bfcb738a0ccdb3efd1b5596821bd656bb9d901b6b30b5949bbd6bf946b1fb5.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948
- C:\Users\Admin\AppData\Local\Temp\3884108770\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3884108770\backup.exe C:\Users\Admin\AppData\Local\Temp\3884108770\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1808
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1456
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2716
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5056
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2380
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:232
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3748
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3908
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2292
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3912
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\update.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4868
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:860
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:5028
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:2944
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1048
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:3752
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        System policy modification
        
        PID:920
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:4188
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4496
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:1740
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:3536
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4128
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4604
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2496
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        System policy modification
        
        PID:4344
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\update.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        System policy modification
        
        PID:5072
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:3388
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        System policy modification
        
        PID:4344
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:1408
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:2200
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3928
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:4308
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\data.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2244
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:4764
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4864
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        System policy modification
        
        PID:3160
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:4908
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:3980
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4008
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3276
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:4560
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1736
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:2128
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:548
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        System policy modification
        
        PID:1156
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4776
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:4492
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        System policy modification
        
        PID:1608
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3524
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3536
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1976
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4116
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3980
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2692
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4948
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1192
        
        C:\Program Files\Common Files\System\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\it-IT\System Restore.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:412
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:224
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3928
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4856
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4296
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:2332
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        System policy modification
        
        PID:3432
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1212
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3404
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:1040
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\update.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3032
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:5056
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3752
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1812
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1104
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        System policy modification
        
        PID:3644
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2352
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3568
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3984
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4752
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4072
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        Executes dropped EXE
        System policy modification
        
        PID:2476
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:2460
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Drops file in Program Files directory
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:4008
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4940
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:1488
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4712
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:4128
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2200
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        System policy modification
        
        PID:4884
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1140
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4872
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4104
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:3784
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4088
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        
        PID:3508
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:452
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:328
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Drops file in Program Files directory
        
        PID:4860
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3336
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        System policy modification
        
        PID:4252
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:1188
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:4980
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:4108
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:2520
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2544
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1808
      - C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        System policy modification
        
        PID:3328
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3168
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        
        PID:1328
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:3036
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:4364
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:2264
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:1836
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3188
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:884
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:4488
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:3252
    - - C:\Program Files\Microsoft Office 15\data.exe
        
        "C:\Program Files\Microsoft Office 15\data.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:4236
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:3472
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2836
    - - C:\Program Files (x86)\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4996
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Drops file in Program Files directory
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:2888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:4416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        System policy modification
        
        PID:640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:2860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:4520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        System policy modification
        
        PID:3208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:4296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:3380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Drops file in Program Files directory
        
        PID:3904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        System policy modification
        
        PID:4820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        System policy modification
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:2992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2248
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4180
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3104
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5108
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Drops file in Program Files directory
        
        PID:1456
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        System policy modification
        
        PID:4524
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        System policy modification
        
        PID:4336
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4892
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        System policy modification
        
        PID:1800
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        System policy modification
        
        PID:384
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:3432
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:2736
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
      - C:\Program Files (x86)\Google\CrashReports\data.exe
        
        "C:\Program Files (x86)\Google\CrashReports\data.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:4508
      - C:\Program Files (x86)\Google\Temp\data.exe
        
        "C:\Program Files (x86)\Google\Temp\data.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:556
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:2324
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1664
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:3020
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3696
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        Drops file in Program Files directory
        
        PID:1612
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        
        PID:1632
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:744
        
        C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4344
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:740
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2128
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1124
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Drops file in Program Files directory
        
        PID:3076
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:4056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:3484
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3552
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        
        PID:4068
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4484
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1032
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4744
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:3808
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:5084
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2536
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:4560
    - - C:\Users\Public\update.exe
        
        C:\Users\Public\update.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1164
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2756
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:4164
    - - C:\Windows\addins\data.exe
        
        C:\Windows\addins\data.exe C:\Windows\addins\
        5⤵
        Loads dropped DLL
        
        PID:1316
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:3768
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:3596
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        System policy modification
        
        PID:4996
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:1428
      - C:\Windows\appcompat\encapsulation\System Restore.exe
        
        "C:\Windows\appcompat\encapsulation\System Restore.exe" C:\Windows\appcompat\encapsulation\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:2476
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:4848
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1040
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:1268
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:5024
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
1⤵
PID:3756
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
  2⤵
  PID:2372

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
46248d001aee286746f52200cbf97eb6

SHA1
331dc6c4d90ba6364082b536bd30033d480d4b09

SHA256
d40a87624b3b94e5d35554362661832f5b2780fe93dc5203a4557a94c65fe49b

SHA512
683db5374cc1ab09f788b75457ee51bbddacc7c53891e73e0bdc49c17fd33b67608e36a59e6b50fd4140ba1dcd78614fd3df933ab60a51cf490f330693235f57

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
46248d001aee286746f52200cbf97eb6

SHA1
331dc6c4d90ba6364082b536bd30033d480d4b09

SHA256
d40a87624b3b94e5d35554362661832f5b2780fe93dc5203a4557a94c65fe49b

SHA512
683db5374cc1ab09f788b75457ee51bbddacc7c53891e73e0bdc49c17fd33b67608e36a59e6b50fd4140ba1dcd78614fd3df933ab60a51cf490f330693235f57

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
fd31a3d0d73ed8adc71fe4d1ed319e55

SHA1
1efbcbb3457cdb679271e7bf0d7c5d054178eb34

SHA256
ff6c875a2162e13738f0488b1f3396ef03a003a2e0343a3711ff79871d184510

SHA512
7a5a5e722af50ccb81a4636ed3e29a661aca2f3e4f7125c3f81c79fe148cb5bc9f1af3a6f9303f9ab47e8743bdb7bc973c21f168dd82ec57a6faade168169e2d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
fd31a3d0d73ed8adc71fe4d1ed319e55

SHA1
1efbcbb3457cdb679271e7bf0d7c5d054178eb34

SHA256
ff6c875a2162e13738f0488b1f3396ef03a003a2e0343a3711ff79871d184510

SHA512
7a5a5e722af50ccb81a4636ed3e29a661aca2f3e4f7125c3f81c79fe148cb5bc9f1af3a6f9303f9ab47e8743bdb7bc973c21f168dd82ec57a6faade168169e2d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\data.exe

Filesize
72KB

MD5
25688e4c2cbdea239f217e0712c17979

SHA1
7f8e334b6702b411b8bae98779441db19010be02

SHA256
b00872081900c9bf2976e385f72ab7e76d48ee60817a887b076e674e0bc2509e

SHA512
6d19becf5fd5cba58ccc3497d40ade6b0bd7a048d14e25aa6f41d82761f31014d307818e3c93f2c7991d66072b6cd279787b335ad9333212785aa4229a8d75d2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\data.exe

Filesize
72KB

MD5
25688e4c2cbdea239f217e0712c17979

SHA1
7f8e334b6702b411b8bae98779441db19010be02

SHA256
b00872081900c9bf2976e385f72ab7e76d48ee60817a887b076e674e0bc2509e

SHA512
6d19becf5fd5cba58ccc3497d40ade6b0bd7a048d14e25aa6f41d82761f31014d307818e3c93f2c7991d66072b6cd279787b335ad9333212785aa4229a8d75d2

Download Submit
C:\Program Files (x86)\Adobe\System Restore.exe

Filesize
72KB

MD5
1fe63ad4886f515cd8623a542079a8ea

SHA1
df3f009daa3ce34ebc7329cf4212be455953a416

SHA256
89b1d313c555383561f4ef4c576f92151612cf0b7953a64bb0c7a22cd0248a65

SHA512
d94cb358dba8f1e0eb1833ba8be7f440dfb89d570c57a0943a1c23cb831263f0fd3533a9979733abf74d7baafa7971737ca29cae1bedab5e1138892027940c21

Download Submit
C:\Program Files (x86)\Adobe\System Restore.exe

Filesize
72KB

MD5
1fe63ad4886f515cd8623a542079a8ea

SHA1
df3f009daa3ce34ebc7329cf4212be455953a416

SHA256
89b1d313c555383561f4ef4c576f92151612cf0b7953a64bb0c7a22cd0248a65

SHA512
d94cb358dba8f1e0eb1833ba8be7f440dfb89d570c57a0943a1c23cb831263f0fd3533a9979733abf74d7baafa7971737ca29cae1bedab5e1138892027940c21

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
1d4ddd14ba821423a0b89512b345aacd

SHA1
0a0f0a2d33402015d4154a07673173814df5d0fe

SHA256
43f108ef8b62fa2c045082b20f955312d2b6161ec4d606e766b110d84643a668

SHA512
1007985bda8a3c01ce4f132fd70df2d5d611984bdd16b4891808bb192b8b34fc29f51bebe5f5557dbdb6de2f88f3970eab2d0992495ee3430b08594f65fa04ef

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
1d4ddd14ba821423a0b89512b345aacd

SHA1
0a0f0a2d33402015d4154a07673173814df5d0fe

SHA256
43f108ef8b62fa2c045082b20f955312d2b6161ec4d606e766b110d84643a668

SHA512
1007985bda8a3c01ce4f132fd70df2d5d611984bdd16b4891808bb192b8b34fc29f51bebe5f5557dbdb6de2f88f3970eab2d0992495ee3430b08594f65fa04ef

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eb083f7b8cc54b07e9e6770641c902d1

SHA1
2e5d758ca419e69b5bca99e2abf45f14532b3535

SHA256
756fec7bd7b656ed4a8833b1b0097c4ef0900708fc1cd5b5e029832207e62138

SHA512
cb0b8450ba07a36a4656d825faa75211bf0edf9680c62172eeaf1b6ad131fb6056393c364db4b8119e6d65ec7f3954c8b6a3c65fbcdafdde8b5ee0f036e96d76

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
eb083f7b8cc54b07e9e6770641c902d1

SHA1
2e5d758ca419e69b5bca99e2abf45f14532b3535

SHA256
756fec7bd7b656ed4a8833b1b0097c4ef0900708fc1cd5b5e029832207e62138

SHA512
cb0b8450ba07a36a4656d825faa75211bf0edf9680c62172eeaf1b6ad131fb6056393c364db4b8119e6d65ec7f3954c8b6a3c65fbcdafdde8b5ee0f036e96d76

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ca195c9ad6dd1b34f0482ba18411508f

SHA1
b72e110f50400c6342a5aa8f0e76d2ad73ccbc73

SHA256
691e2cde7ead9591c7db895eaf5d17f76eed2ca9865a5de89841337562949492

SHA512
a54822d0cb8fa62690ae024c85c0cd5d0274b614ca3cbbe766e598db57d4db080b7f43458420f95ff9b1103cc774b9c4c069b2145caa8279b210bf415bb72a76

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
ca195c9ad6dd1b34f0482ba18411508f

SHA1
b72e110f50400c6342a5aa8f0e76d2ad73ccbc73

SHA256
691e2cde7ead9591c7db895eaf5d17f76eed2ca9865a5de89841337562949492

SHA512
a54822d0cb8fa62690ae024c85c0cd5d0274b614ca3cbbe766e598db57d4db080b7f43458420f95ff9b1103cc774b9c4c069b2145caa8279b210bf415bb72a76

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
40156d68f7cbd850f0d4c1227961cb8a

SHA1
30ef83787c768bb5a227e433d1c34c4b7b22fe7b

SHA256
64bb15f637fb5897394955e6bf29bb5f13a52549d4fe7cf2c6576107117a24a6

SHA512
eba4c51c23d81c50ce66d71844578202214137c92180212c86be0ab1a160181ae845ce296606ff3bc732f1e1666dc7d64c9ce8e727e82db6a1101d3072aa022c

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
40156d68f7cbd850f0d4c1227961cb8a

SHA1
30ef83787c768bb5a227e433d1c34c4b7b22fe7b

SHA256
64bb15f637fb5897394955e6bf29bb5f13a52549d4fe7cf2c6576107117a24a6

SHA512
eba4c51c23d81c50ce66d71844578202214137c92180212c86be0ab1a160181ae845ce296606ff3bc732f1e1666dc7d64c9ce8e727e82db6a1101d3072aa022c

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
5813193c7b217ecb40ddb8b0c01a7d81

SHA1
99d20a4ad542494c322b76b6da7729cc4ca63080

SHA256
45e860db40b8557d78e8320918f483b0eb7f1107081df136969863fb7abde3f0

SHA512
3b233f38a2b0048b3c12ccaa7f855ced4990dbbd5c1e35bd1b924c91f5f49ba3401c7ee9e4e74cc7de4030565d5322d7d6d0849afc537cf9cfb5628dbf612dba

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
5813193c7b217ecb40ddb8b0c01a7d81

SHA1
99d20a4ad542494c322b76b6da7729cc4ca63080

SHA256
45e860db40b8557d78e8320918f483b0eb7f1107081df136969863fb7abde3f0

SHA512
3b233f38a2b0048b3c12ccaa7f855ced4990dbbd5c1e35bd1b924c91f5f49ba3401c7ee9e4e74cc7de4030565d5322d7d6d0849afc537cf9cfb5628dbf612dba

Download Submit
C:\Program Files\Common Files\System\ado\data.exe

Filesize
72KB

MD5
b811d5c02db5593986f1efd17f4506e9

SHA1
01f417ff5f3032c53b3cfb6477b89342f49ce9b1

SHA256
1e89bf957ef90b993026924e6220ed916ab54ce18f7eefcb05768074fa7486db

SHA512
007a676444e92acf25a4d07b82e8ba05e275eb8b3c2aa6188458f72a5f17c46930de20678bd3ef5ccc76c6e31fb1cdd5b309089dabf4a351714681c6ac8a16f0

Download Submit
C:\Program Files\Common Files\System\ado\data.exe

Filesize
72KB

MD5
b811d5c02db5593986f1efd17f4506e9

SHA1
01f417ff5f3032c53b3cfb6477b89342f49ce9b1

SHA256
1e89bf957ef90b993026924e6220ed916ab54ce18f7eefcb05768074fa7486db

SHA512
007a676444e92acf25a4d07b82e8ba05e275eb8b3c2aa6188458f72a5f17c46930de20678bd3ef5ccc76c6e31fb1cdd5b309089dabf4a351714681c6ac8a16f0

Download Submit
C:\Program Files\Common Files\System\ado\de-DE\backup.exe

Filesize
72KB

MD5
f0c7a5bc521054551c0da9cb4e9b79d9

SHA1
991e7c9e8878ca2fed19473152ad5c78a16b0987

SHA256
a6e26e3d095f57715082ee88e4e09331ef19658304a7e89f3d28cbe07c88078f

SHA512
0f9b81f0decc97e6c2a246e1a2a7601a590f7d771cc915a210d3c78ead5bc24a7ce54a64d83573e4e1b127e1402ea68918ae2a75b702e3a18de644c265ff5be3

Download Submit
C:\Program Files\Common Files\System\ado\de-DE\backup.exe

Filesize
72KB

MD5
f0c7a5bc521054551c0da9cb4e9b79d9

SHA1
991e7c9e8878ca2fed19473152ad5c78a16b0987

SHA256
a6e26e3d095f57715082ee88e4e09331ef19658304a7e89f3d28cbe07c88078f

SHA512
0f9b81f0decc97e6c2a246e1a2a7601a590f7d771cc915a210d3c78ead5bc24a7ce54a64d83573e4e1b127e1402ea68918ae2a75b702e3a18de644c265ff5be3

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
5813193c7b217ecb40ddb8b0c01a7d81

SHA1
99d20a4ad542494c322b76b6da7729cc4ca63080

SHA256
45e860db40b8557d78e8320918f483b0eb7f1107081df136969863fb7abde3f0

SHA512
3b233f38a2b0048b3c12ccaa7f855ced4990dbbd5c1e35bd1b924c91f5f49ba3401c7ee9e4e74cc7de4030565d5322d7d6d0849afc537cf9cfb5628dbf612dba

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
5813193c7b217ecb40ddb8b0c01a7d81

SHA1
99d20a4ad542494c322b76b6da7729cc4ca63080

SHA256
45e860db40b8557d78e8320918f483b0eb7f1107081df136969863fb7abde3f0

SHA512
3b233f38a2b0048b3c12ccaa7f855ced4990dbbd5c1e35bd1b924c91f5f49ba3401c7ee9e4e74cc7de4030565d5322d7d6d0849afc537cf9cfb5628dbf612dba

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c115616421c41cf42722426854e180dc

SHA1
fbdf73c959643d9691e4f8ede737a18582bad5ab

SHA256
ede573eb167c1a502498864019855ba8cec67de9681d53c1e9fc44ce1d96fe31

SHA512
2e421ff256192d6c76b60e2ec67f5051f12217fedb22b99920b495a291665fc031f840c9198fe29e1244d673d0f8908d1e1d97a8309880e66671974b51a8f310

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
c115616421c41cf42722426854e180dc

SHA1
fbdf73c959643d9691e4f8ede737a18582bad5ab

SHA256
ede573eb167c1a502498864019855ba8cec67de9681d53c1e9fc44ce1d96fe31

SHA512
2e421ff256192d6c76b60e2ec67f5051f12217fedb22b99920b495a291665fc031f840c9198fe29e1244d673d0f8908d1e1d97a8309880e66671974b51a8f310

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
ab569e68753c50b345a8513b6cef9624

SHA1
31a0795de8a2faed9c278e103fa7bc178c474673

SHA256
440968e9c984b361f03a2658c55246acc99176b41950cb93655fc13a62998181

SHA512
d10c6dc76fdfaea011a344a590d16bfc4b4377c151161dc759e0829d5a0b9aebff61e304f53b93939159559905d1f1e25be00b2ece793dd79c660f427756ad17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
ab569e68753c50b345a8513b6cef9624

SHA1
31a0795de8a2faed9c278e103fa7bc178c474673

SHA256
440968e9c984b361f03a2658c55246acc99176b41950cb93655fc13a62998181

SHA512
d10c6dc76fdfaea011a344a590d16bfc4b4377c151161dc759e0829d5a0b9aebff61e304f53b93939159559905d1f1e25be00b2ece793dd79c660f427756ad17

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
40156d68f7cbd850f0d4c1227961cb8a

SHA1
30ef83787c768bb5a227e433d1c34c4b7b22fe7b

SHA256
64bb15f637fb5897394955e6bf29bb5f13a52549d4fe7cf2c6576107117a24a6

SHA512
eba4c51c23d81c50ce66d71844578202214137c92180212c86be0ab1a160181ae845ce296606ff3bc732f1e1666dc7d64c9ce8e727e82db6a1101d3072aa022c

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
40156d68f7cbd850f0d4c1227961cb8a

SHA1
30ef83787c768bb5a227e433d1c34c4b7b22fe7b

SHA256
64bb15f637fb5897394955e6bf29bb5f13a52549d4fe7cf2c6576107117a24a6

SHA512
eba4c51c23d81c50ce66d71844578202214137c92180212c86be0ab1a160181ae845ce296606ff3bc732f1e1666dc7d64c9ce8e727e82db6a1101d3072aa022c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
91492f950d070e58ac006540393c3a68

SHA1
2e60719a72219d63ea12b835f78a67a6187c5510

SHA256
2558c0f69fdb7b536e1ad7f956b49414ffd7c778e4f89bae7340b19bfd59b19e

SHA512
4759d7e89b3bb984652194094ff62ea034f1ccee8d9c31d2f6851a48e2fe141abf0b4df403474f326cffb5294acca8709e5e7b3681208938976d56bda97f68e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
91492f950d070e58ac006540393c3a68

SHA1
2e60719a72219d63ea12b835f78a67a6187c5510

SHA256
2558c0f69fdb7b536e1ad7f956b49414ffd7c778e4f89bae7340b19bfd59b19e

SHA512
4759d7e89b3bb984652194094ff62ea034f1ccee8d9c31d2f6851a48e2fe141abf0b4df403474f326cffb5294acca8709e5e7b3681208938976d56bda97f68e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b45c8696609a91d23792d32e989dd817

SHA1
136f111b8da32852504c7bb2a5ba04478c0e392b

SHA256
6146b71b50d767866d39acb9bf5b0de685a18f25a2efcb3472e2b30b2eaedb88

SHA512
4214e8df68f77d7dfc3172f404fbc144bb6710d96799a38b56e25cc4ab783c37253499a0cb0ee7323162215633277361196731b6e98a1cf426d56a2809becba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
b45c8696609a91d23792d32e989dd817

SHA1
136f111b8da32852504c7bb2a5ba04478c0e392b

SHA256
6146b71b50d767866d39acb9bf5b0de685a18f25a2efcb3472e2b30b2eaedb88

SHA512
4214e8df68f77d7dfc3172f404fbc144bb6710d96799a38b56e25cc4ab783c37253499a0cb0ee7323162215633277361196731b6e98a1cf426d56a2809becba6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
f58844461d9abf8e24af43988eb13186

SHA1
55f74c93ef81aff19ba86fb55e3ecc0863413f40

SHA256
6d972eb1ac44a1999375e898bef40433691624306c8a381d2af4c6977c56b50f

SHA512
6e96ac3c8f9ec9c84121bd0ed2cc3f9f9fecddb058ab8f89b90e86a005699795e46f2e0187db41f00da2b583be1f6bd726326baccaa1f81cf20022e170f774fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
f58844461d9abf8e24af43988eb13186

SHA1
55f74c93ef81aff19ba86fb55e3ecc0863413f40

SHA256
6d972eb1ac44a1999375e898bef40433691624306c8a381d2af4c6977c56b50f

SHA512
6e96ac3c8f9ec9c84121bd0ed2cc3f9f9fecddb058ab8f89b90e86a005699795e46f2e0187db41f00da2b583be1f6bd726326baccaa1f81cf20022e170f774fb

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe

Filesize
72KB

MD5
0ff2feae87f4028292081faf2c676ad0

SHA1
77b5deb797d6d8ef1001aed904c5e23d0c8ab24f

SHA256
3b1e8e2100aec4c87a4b77717f6cb9a52e565777c204d00590a76c44077ff089

SHA512
c4e70930b09931cf5f733f1cb1539b8fdaff3cc9d9b7f1e6c9c53c10acbe5395318f0848fb746884276b2407efbbf7665124c5a5d506116a9f928a374428bebe

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe

Filesize
72KB

MD5
0ff2feae87f4028292081faf2c676ad0

SHA1
77b5deb797d6d8ef1001aed904c5e23d0c8ab24f

SHA256
3b1e8e2100aec4c87a4b77717f6cb9a52e565777c204d00590a76c44077ff089

SHA512
c4e70930b09931cf5f733f1cb1539b8fdaff3cc9d9b7f1e6c9c53c10acbe5395318f0848fb746884276b2407efbbf7665124c5a5d506116a9f928a374428bebe

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
eb369ed34db153da98af775f52a714a1

SHA1
bbf5ebdb3da325ac0cbd2c3f700fd7c527df0d76

SHA256
222516d9e89a48a0ce46ae96915dd69d74389221bd0ae8fc0c98f398d5ca2b86

SHA512
51b8c394f194d9951be0f75e7e22583198d58dafa209cc6f061ea1c54a120f700c4a48d63cb88facc1adc043cb70504fef5d7e6ae3db509f19d9b54b432c31c7

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
72KB

MD5
eb369ed34db153da98af775f52a714a1

SHA1
bbf5ebdb3da325ac0cbd2c3f700fd7c527df0d76

SHA256
222516d9e89a48a0ce46ae96915dd69d74389221bd0ae8fc0c98f398d5ca2b86

SHA512
51b8c394f194d9951be0f75e7e22583198d58dafa209cc6f061ea1c54a120f700c4a48d63cb88facc1adc043cb70504fef5d7e6ae3db509f19d9b54b432c31c7

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
51f9439a7f50218a31dbcda61c5e1943

SHA1
1e4f1ed3926f2bb08c7432f8b6500eed68eefe9b

SHA256
02841d70705dc1023ecb7d007b076ad77508f8a433c46a682a2c0fec7c35c15b

SHA512
77ba6634e991b894e038bffade7cddae5d12b363a5fb77d73d094d852bf1008ff4e17b9d95197ba43d2e023bfa1e102eb0ffa8dc032503308b66a75ec315e410

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
51f9439a7f50218a31dbcda61c5e1943

SHA1
1e4f1ed3926f2bb08c7432f8b6500eed68eefe9b

SHA256
02841d70705dc1023ecb7d007b076ad77508f8a433c46a682a2c0fec7c35c15b

SHA512
77ba6634e991b894e038bffade7cddae5d12b363a5fb77d73d094d852bf1008ff4e17b9d95197ba43d2e023bfa1e102eb0ffa8dc032503308b66a75ec315e410

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
5b8d8b5cd76469a2b0e5f5dd78ea72dc

SHA1
f5ada53bcd60d630ac95ddef61ade5e61646f686

SHA256
fdd06adc60e6f3d19c0eab644bb765c3ef70875619f4523546eeb07c23457d1f

SHA512
b3f8aec027461da0ff8b023fbdcd3a01b566c32d91a4ed3711b14483548bb587f0ba2fd18d06c4fba7b71b9f10f1160ec47e4ed708c8cfa5105e4ef064976261

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
5b8d8b5cd76469a2b0e5f5dd78ea72dc

SHA1
f5ada53bcd60d630ac95ddef61ade5e61646f686

SHA256
fdd06adc60e6f3d19c0eab644bb765c3ef70875619f4523546eeb07c23457d1f

SHA512
b3f8aec027461da0ff8b023fbdcd3a01b566c32d91a4ed3711b14483548bb587f0ba2fd18d06c4fba7b71b9f10f1160ec47e4ed708c8cfa5105e4ef064976261

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
178dda1d9ca52c2cc71215f26be24549

SHA1
0ac82c417f572a14d2b6f2a0d6ef5333ebcb038b

SHA256
b6bfcaad30cd7612b57db716bcac9297292215a07eb6eaee27e3e209d8a08e46

SHA512
5eb7a750ce1b60c13b1a6e90a417c80f11f3fc7c6e829f9cd2309e8a43de72186b09fa6bd7616d6a836cf08894df3084a38e662cf370e16cb1d9da527ddd4827

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
178dda1d9ca52c2cc71215f26be24549

SHA1
0ac82c417f572a14d2b6f2a0d6ef5333ebcb038b

SHA256
b6bfcaad30cd7612b57db716bcac9297292215a07eb6eaee27e3e209d8a08e46

SHA512
5eb7a750ce1b60c13b1a6e90a417c80f11f3fc7c6e829f9cd2309e8a43de72186b09fa6bd7616d6a836cf08894df3084a38e662cf370e16cb1d9da527ddd4827

Download Submit
C:\Users\Admin\AppData\Local\Temp\3884108770\backup.exe

Filesize
72KB

MD5
5dd04ebbd07591d0acd15e12dfe6e758

SHA1
b6eb73ca1f09da723e9e23ba7909f09579db11c6

SHA256
dd47384fb7b3061e26f40f716086d9c62593b5d66db84c83e50bbac744af787d

SHA512
a9fa4b253f7627298ae111f82259ccc3a6023d09ab66be521999e506e032a958981db8abf3051da9baae5e788cbf404a5ed7d387dca801e8d3cfd72262ef28da

Download Submit
C:\Users\Admin\AppData\Local\Temp\3884108770\backup.exe

Filesize
72KB

MD5
5dd04ebbd07591d0acd15e12dfe6e758

SHA1
b6eb73ca1f09da723e9e23ba7909f09579db11c6

SHA256
dd47384fb7b3061e26f40f716086d9c62593b5d66db84c83e50bbac744af787d

SHA512
a9fa4b253f7627298ae111f82259ccc3a6023d09ab66be521999e506e032a958981db8abf3051da9baae5e788cbf404a5ed7d387dca801e8d3cfd72262ef28da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
9d97cf449ab9bd78c3734105afac1fec

SHA1
a946d1f372fa8cdbd28e907de137acdabac2a60f

SHA256
fc2187f1e7d708a9c268878ff9cc3f65c3262e7b084a43b880c7c0bc976d408a

SHA512
bd1573ff9e3385851a5977f9cc0636075a04723cbb594445e907a1d2ce152345eb95fdf5fd7a06ac988610d0833b2d77f5676a0e52f38a570f75c4de59d04c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
9d97cf449ab9bd78c3734105afac1fec

SHA1
a946d1f372fa8cdbd28e907de137acdabac2a60f

SHA256
fc2187f1e7d708a9c268878ff9cc3f65c3262e7b084a43b880c7c0bc976d408a

SHA512
bd1573ff9e3385851a5977f9cc0636075a04723cbb594445e907a1d2ce152345eb95fdf5fd7a06ac988610d0833b2d77f5676a0e52f38a570f75c4de59d04c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
635d43b4efa354983ce1ac66dab5bd80

SHA1
6f4ef0d5394105f86b3b822e0eb9ae59fd6e34d7

SHA256
5a61874685786b4b40ec8236f0814c53dc4aa2e86fb9df27acb27494d8badd36

SHA512
6d373c06f9f8b151fdc17c626f6f71bbdc689300f6d58724b6353b1499c988fe722b32d14239db2f871ec92101a58a7cdb585043b5a4b9c01a5b34aa65a6b032

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
635d43b4efa354983ce1ac66dab5bd80

SHA1
6f4ef0d5394105f86b3b822e0eb9ae59fd6e34d7

SHA256
5a61874685786b4b40ec8236f0814c53dc4aa2e86fb9df27acb27494d8badd36

SHA512
6d373c06f9f8b151fdc17c626f6f71bbdc689300f6d58724b6353b1499c988fe722b32d14239db2f871ec92101a58a7cdb585043b5a4b9c01a5b34aa65a6b032

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\System Restore.exe

Filesize
72KB

MD5
40a98ae743f18cf6be7b509342b6f467

SHA1
a3b688cf98de4da1c5d0ab00ddfcff51881a153d

SHA256
9feb830d9e640c0c747bfb41078e6e11926cffe0f55f196515c90dc03c821db0

SHA512
8a75fd62c82b57ed5601fc5f8005f6d40ab1cb4a32dbdfb9ac1137353c4d04d244562be71db9e6c5b5c26425282fc6d675b18e6e24d3d599d02eca0470af8f67

Download Submit
C:\backup.exe

Filesize
72KB

MD5
5c4719d2999e1786daf4568819687b10

SHA1
de40229f9916216bb384aeafd28112ddee0a6d86

SHA256
9af055dda4ebc9e33bb8c97bf990fb53bb3dc464a359fd512082376880aed036

SHA512
cc796711a3dadc452d2bb601e6efeac5293fac670fd54b57572f2f6ad47aa495e5ac59f77d82b3cb1cc977747855e2e2f317117188edfdfd74254550c6d5ee46

Download Submit
C:\backup.exe

Filesize
72KB

MD5
5c4719d2999e1786daf4568819687b10

SHA1
de40229f9916216bb384aeafd28112ddee0a6d86

SHA256
9af055dda4ebc9e33bb8c97bf990fb53bb3dc464a359fd512082376880aed036

SHA512
cc796711a3dadc452d2bb601e6efeac5293fac670fd54b57572f2f6ad47aa495e5ac59f77d82b3cb1cc977747855e2e2f317117188edfdfd74254550c6d5ee46

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
46248d001aee286746f52200cbf97eb6

SHA1
331dc6c4d90ba6364082b536bd30033d480d4b09

SHA256
d40a87624b3b94e5d35554362661832f5b2780fe93dc5203a4557a94c65fe49b

SHA512
683db5374cc1ab09f788b75457ee51bbddacc7c53891e73e0bdc49c17fd33b67608e36a59e6b50fd4140ba1dcd78614fd3df933ab60a51cf490f330693235f57

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
46248d001aee286746f52200cbf97eb6

SHA1
331dc6c4d90ba6364082b536bd30033d480d4b09

SHA256
d40a87624b3b94e5d35554362661832f5b2780fe93dc5203a4557a94c65fe49b

SHA512
683db5374cc1ab09f788b75457ee51bbddacc7c53891e73e0bdc49c17fd33b67608e36a59e6b50fd4140ba1dcd78614fd3df933ab60a51cf490f330693235f57

Download Submit
memory/232-204-0x0000000000000000-mapping.dmp

Download
memory/860-369-0x0000000000000000-mapping.dmp

Download
memory/1052-299-0x0000000000000000-mapping.dmp

Download
memory/1140-309-0x0000000000000000-mapping.dmp

Download
memory/1192-384-0x0000000000000000-mapping.dmp

Download
memory/1224-348-0x0000000000000000-mapping.dmp

Download
memory/1304-209-0x0000000000000000-mapping.dmp

Download
memory/1320-214-0x0000000000000000-mapping.dmp

Download
memory/1452-174-0x0000000000000000-mapping.dmp

Download
memory/1456-175-0x0000000000000000-mapping.dmp

Download
memory/1540-268-0x0000000000000000-mapping.dmp

Download
memory/1612-315-0x0000000000000000-mapping.dmp

Download
memory/1620-165-0x0000000000000000-mapping.dmp

Download
memory/1624-325-0x0000000000000000-mapping.dmp

Download
memory/1632-312-0x0000000000000000-mapping.dmp

Download
memory/1744-159-0x0000000000000000-mapping.dmp

Download
memory/1808-164-0x0000000000000000-mapping.dmp

Download
memory/1812-246-0x0000000000000000-mapping.dmp

Download
memory/1836-328-0x0000000000000000-mapping.dmp

Download
memory/1916-378-0x0000000000000000-mapping.dmp

Download
memory/1968-316-0x0000000000000000-mapping.dmp

Download
memory/1976-270-0x0000000000000000-mapping.dmp

Download
memory/2292-339-0x0000000000000000-mapping.dmp

Download
memory/2352-279-0x0000000000000000-mapping.dmp

Download
memory/2380-199-0x0000000000000000-mapping.dmp

Download
memory/2432-144-0x0000000000000000-mapping.dmp

Download
memory/2476-387-0x0000000000000000-mapping.dmp

Download
memory/2496-280-0x0000000000000000-mapping.dmp

Download
memory/2536-189-0x0000000000000000-mapping.dmp

Download
memory/2692-357-0x0000000000000000-mapping.dmp

Download
memory/2716-184-0x0000000000000000-mapping.dmp

Download
memory/2724-321-0x0000000000000000-mapping.dmp

Download
memory/2728-259-0x0000000000000000-mapping.dmp

Download
memory/2836-221-0x0000000000000000-mapping.dmp

Download
memory/3004-301-0x0000000000000000-mapping.dmp

Download
memory/3048-345-0x0000000000000000-mapping.dmp

Download
memory/3428-220-0x0000000000000000-mapping.dmp

Download
memory/3508-219-0x0000000000000000-mapping.dmp

Download
memory/3536-222-0x0000000000000000-mapping.dmp

Download
memory/3568-298-0x0000000000000000-mapping.dmp

Download
memory/3748-247-0x0000000000000000-mapping.dmp

Download
memory/3908-292-0x0000000000000000-mapping.dmp

Download
memory/3912-351-0x0000000000000000-mapping.dmp

Download
memory/3944-360-0x0000000000000000-mapping.dmp

Download
memory/3980-324-0x0000000000000000-mapping.dmp

Download
memory/3984-342-0x0000000000000000-mapping.dmp

Download
memory/4072-361-0x0000000000000000-mapping.dmp

Download
memory/4088-139-0x0000000000000000-mapping.dmp

Download
memory/4116-289-0x0000000000000000-mapping.dmp

Download
memory/4120-381-0x0000000000000000-mapping.dmp

Download
memory/4468-293-0x0000000000000000-mapping.dmp

Download
memory/4568-336-0x0000000000000000-mapping.dmp

Download
memory/4752-354-0x0000000000000000-mapping.dmp

Download
memory/4768-134-0x0000000000000000-mapping.dmp

Download
memory/4820-375-0x0000000000000000-mapping.dmp

Download
memory/4868-366-0x0000000000000000-mapping.dmp

Download
memory/4924-333-0x0000000000000000-mapping.dmp

Download
memory/4940-154-0x0000000000000000-mapping.dmp

Download
memory/4948-372-0x0000000000000000-mapping.dmp

Download
memory/4960-148-0x0000000000000000-mapping.dmp

Download
memory/4984-261-0x0000000000000000-mapping.dmp

Download
memory/4996-242-0x0000000000000000-mapping.dmp

Download
memory/5056-194-0x0000000000000000-mapping.dmp

Download
memory/5100-239-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads