cc7773c2d7ca1223361c5c5442f0324a4dc44e2e854f9f970776cf1be42ac631

Analysis

max time kernel
163s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.aad199c2114ccff16d201d49b15f0ad0.exe
Size

79KB
MD5

aad199c2114ccff16d201d49b15f0ad0
SHA1

6d457ff23e0a70851a7057b2498763e5006a6651
SHA256

cc7773c2d7ca1223361c5c5442f0324a4dc44e2e854f9f970776cf1be42ac631
SHA512

ece2816859ad5d0ed7381e14c0623f825f940f33816ba2c77f6f7c57f37614ef9b85e1b1f236a23e7715e1ed1c3c1dc7d0afb3370cdc2d0b34a52a07665645e5
SSDEEP

768:MpQNwC3BESe4Vqth+0V5vKwQNwC3BE3bqNmCRh5EMk:keT7BVwxfv9eTAGv5zk

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
5112	backup.exe
4860	backup.exe
2208	backup.exe
3476	backup.exe
3176	backup.exe
3868	backup.exe
3496	backup.exe
3520	backup.exe
3488	backup.exe
392	backup.exe
1884	backup.exe
3408	backup.exe
3288	backup.exe
3416	backup.exe
1300	data.exe
3472	backup.exe
1820	backup.exe
3896	backup.exe
4344	backup.exe
2028	backup.exe
2164	backup.exe
1856	backup.exe
5020	backup.exe
3196	backup.exe
4896	backup.exe
3292	backup.exe
2180	backup.exe
4860	backup.exe
3960	backup.exe
3356	backup.exe
1700	backup.exe
2148	backup.exe
3636	backup.exe
4732	backup.exe
4252	update.exe
1596	backup.exe
2736	backup.exe
3288	backup.exe
4724	backup.exe
5036	backup.exe
5100	backup.exe
1296	backup.exe
4904	backup.exe
3888	backup.exe
1556	data.exe
3872	backup.exe
1820	backup.exe
4856	backup.exe
2124	backup.exe
3208	backup.exe
4612	backup.exe
3828	data.exe
1824	backup.exe
3976	backup.exe
2176	backup.exe
1540	backup.exe
1152	data.exe
4604	backup.exe
4496	backup.exe
1628	update.exe
2300	backup.exe
3860	backup.exe
1880	backup.exe
1008	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU55BC.tmp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe	backup.exe

Drops file in Windows directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\it-IT\data.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\shellbrd\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_32\System Restore.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe	System Restore.exe
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\update.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe	data.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe
5112	backup.exe
4860	backup.exe
2208	backup.exe
3476	backup.exe
3176	backup.exe
3868	backup.exe
3496	backup.exe
3520	backup.exe
3488	backup.exe
392	backup.exe
1884	backup.exe
3408	backup.exe
3288	backup.exe
3416	backup.exe
1300	data.exe
3472	backup.exe
1820	backup.exe
3896	backup.exe
2028	backup.exe
4344	backup.exe
2164	backup.exe
1856	backup.exe
5020	backup.exe
3196	backup.exe
4896	backup.exe
4860	backup.exe
3292	backup.exe
2180	backup.exe
3356	backup.exe
3960	backup.exe
1700	backup.exe
3636	backup.exe
4732	backup.exe
2148	backup.exe
1596	backup.exe
4252	update.exe
1296	backup.exe
3288	backup.exe
5100	backup.exe
4724	backup.exe
5036	backup.exe
2736	backup.exe
4904	backup.exe
1556	data.exe
3888	backup.exe
3872	backup.exe
1820	backup.exe
3208	backup.exe
4612	backup.exe
2124	backup.exe
3828	backup.exe
4856	backup.exe
3976	backup.exe
2176	backup.exe
1824	backup.exe
1540	backup.exe
1152	data.exe
3860	backup.exe
4604	backup.exe
1628	update.exe
4496	backup.exe
220	backup.exe
1008	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 5112	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	88
PID 612 wrote to memory of 5112	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	88
PID 612 wrote to memory of 5112	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	88
PID 612 wrote to memory of 4860	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	89
PID 612 wrote to memory of 4860	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	89
PID 612 wrote to memory of 4860	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	89
PID 612 wrote to memory of 2208	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	90
PID 612 wrote to memory of 2208	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	90
PID 612 wrote to memory of 2208	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	90
PID 612 wrote to memory of 3476	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	91
PID 612 wrote to memory of 3476	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	91
PID 612 wrote to memory of 3476	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	91
PID 612 wrote to memory of 3176	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	92
PID 612 wrote to memory of 3176	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	92
PID 612 wrote to memory of 3176	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	92
PID 612 wrote to memory of 3868	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	93
PID 612 wrote to memory of 3868	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	93
PID 612 wrote to memory of 3868	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	93
PID 612 wrote to memory of 3496	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	94
PID 612 wrote to memory of 3496	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	94
PID 612 wrote to memory of 3496	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	94
PID 612 wrote to memory of 3520	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	95
PID 612 wrote to memory of 3520	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	95
PID 612 wrote to memory of 3520	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	95
PID 5112 wrote to memory of 3488	5112	backup.exe	96
PID 5112 wrote to memory of 3488	5112	backup.exe	96
PID 5112 wrote to memory of 3488	5112	backup.exe	96
PID 612 wrote to memory of 392	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	97
PID 612 wrote to memory of 392	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	97
PID 612 wrote to memory of 392	612	NEAS.aad199c2114ccff16d201d49b15f0ad0.exe	97
PID 3488 wrote to memory of 1884	3488	backup.exe	98
PID 3488 wrote to memory of 1884	3488	backup.exe	98
PID 3488 wrote to memory of 1884	3488	backup.exe	98
PID 392 wrote to memory of 3408	392	backup.exe	99
PID 392 wrote to memory of 3408	392	backup.exe	99
PID 392 wrote to memory of 3408	392	backup.exe	99
PID 3488 wrote to memory of 3288	3488	backup.exe	100
PID 3488 wrote to memory of 3288	3488	backup.exe	100
PID 3488 wrote to memory of 3288	3488	backup.exe	100
PID 3408 wrote to memory of 3416	3408	backup.exe	101
PID 3408 wrote to memory of 3416	3408	backup.exe	101
PID 3408 wrote to memory of 3416	3408	backup.exe	101
PID 3488 wrote to memory of 1300	3488	backup.exe	102
PID 3488 wrote to memory of 1300	3488	backup.exe	102
PID 3488 wrote to memory of 1300	3488	backup.exe	102
PID 1300 wrote to memory of 3472	1300	data.exe	104
PID 1300 wrote to memory of 3472	1300	data.exe	104
PID 1300 wrote to memory of 3472	1300	data.exe	104
PID 3472 wrote to memory of 1820	3472	backup.exe	105
PID 3472 wrote to memory of 1820	3472	backup.exe	105
PID 3472 wrote to memory of 1820	3472	backup.exe	105
PID 1300 wrote to memory of 3896	1300	data.exe	106
PID 1300 wrote to memory of 3896	1300	data.exe	106
PID 1300 wrote to memory of 3896	1300	data.exe	106
PID 3488 wrote to memory of 4344	3488	backup.exe	108
PID 3488 wrote to memory of 4344	3488	backup.exe	108
PID 3488 wrote to memory of 4344	3488	backup.exe	108
PID 3896 wrote to memory of 2028	3896	backup.exe	107
PID 3896 wrote to memory of 2028	3896	backup.exe	107
PID 3896 wrote to memory of 2028	3896	backup.exe	107
PID 4344 wrote to memory of 2164	4344	backup.exe	111
PID 4344 wrote to memory of 2164	4344	backup.exe	111
PID 4344 wrote to memory of 2164	4344	backup.exe	111
PID 3896 wrote to memory of 1856	3896	backup.exe	110

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.aad199c2114ccff16d201d49b15f0ad0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aad199c2114ccff16d201d49b15f0ad0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612
- C:\Users\Admin\AppData\Local\Temp\{5AFDB992-830B-4157-B0F4-D41C68E54BA0}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{5AFDB992-830B-4157-B0F4-D41C68E54BA0}\backup.exe C:\Users\Admin\AppData\Local\Temp\{5AFDB992-830B-4157-B0F4-D41C68E54BA0}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1884
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3288
  - - C:\Program Files\data.exe
      "C:\Program Files\data.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2028
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3196
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3356
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2148
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:1540
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        
        PID:2848
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:1180
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:2144
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        
        PID:4452
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        
        PID:1452
        
        C:\Program Files (x86)\Google\Update\Install\{2E401999-8512-4AB8-A131-FEF20E3CEB55}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{2E401999-8512-4AB8-A131-FEF20E3CEB55}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{2E401999-8512-4AB8-A131-FEF20E3CEB55}\
        9⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:2976
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Drops file in Program Files directory
        
        PID:652
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:3136
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        System policy modification
        
        PID:3224
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:2976
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:3712
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:740
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:2208
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4272
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4688
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:2152
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:3208
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        System policy modification
        
        PID:1396
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        System policy modification
        
        PID:3804
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3516
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        9⤵
        
        PID:3624
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:2152
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:4000
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:1564
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:3352
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:1048
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\update.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:3204
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        System policy modification
        
        PID:4716
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:2808
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:3860
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:4780
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:3212
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:384
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4172
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:4360
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:3832
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2956
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\data.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:2044
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        System policy modification
        
        PID:3880
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:3220
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:2956
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:1928
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:1248
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:2732
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:1540
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:4636
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:4912
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:444
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2176
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1880
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2868
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1564
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2732
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4880
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:3468
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2652
        
        C:\Program Files\Common Files\System\de-DE\data.exe
        
        "C:\Program Files\Common Files\System\de-DE\data.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:3024
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:3532
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1848
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:336
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1540
        
        C:\Program Files\Common Files\System\msadc\data.exe
        
        "C:\Program Files\Common Files\System\msadc\data.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:3552
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:5096
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        Drops file in Program Files directory
        
        PID:1556
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4360
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:4428
        
        C:\Program Files\Common Files\System\msadc\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\update.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:392
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:928
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:4884
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:4048
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3324
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1684
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:3300
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\update.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:3348
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3292
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3960
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4252
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\data.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:4560
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:3628
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        System policy modification
        
        PID:2908
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4604
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:5056
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\data.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5016
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3888
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4904
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        
        PID:4612
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:4604
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:5068
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:4572
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:4736
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1028
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:808
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2076
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:4372
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        Drops file in Program Files directory
        
        PID:4708
        
        C:\Program Files\Java\jre-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        
        PID:1540
        
        C:\Program Files\Java\jre-1.8\bin\dtplugin\data.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\data.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        8⤵
        System policy modification
        
        PID:792
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        
        PID:3852
        
        C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:3016
        
        C:\Program Files\Java\jre-1.8\legal\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\legal\System Restore.exe" C:\Program Files\Java\jre-1.8\legal\
        7⤵
        Drops file in Program Files directory
        
        PID:5088
        
        C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        8⤵
        
        PID:2300
        
        C:\Program Files\Java\jre-1.8\legal\jdk\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\System Restore.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        8⤵
        
        PID:3940
        
        C:\Program Files\Java\jre-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:4172
        
        C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:2868
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:4260
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:4628
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:1456
      - C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:1648
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:3836
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3260
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:4352
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\System Restore.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:4272
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        System policy modification
        
        PID:2080
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:1112
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        System policy modification
        
        PID:984
        
        C:\Program Files\Microsoft Office\root\Integration\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\System Restore.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:964
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Drops file in Program Files directory
        
        PID:4128
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:4892
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:3152
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:688
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1952
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4992
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:1400
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3164
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1096
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:5060
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:3364
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:5080
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4412
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:3196
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:2192
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2232
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2164
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:3700
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:4004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:4984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:2872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:1176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:3860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:3472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Drops file in Program Files directory
        
        PID:3948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:2976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:3220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:3520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:3852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        Drops file in Program Files directory
        
        PID:2588
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        
        PID:4816
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        
        PID:3936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:4888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:3828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        
        PID:1312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        System policy modification
        
        PID:4748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2728
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        System policy modification
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:4692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:4896
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\
        10⤵
        System policy modification
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:5100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:3340
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3288
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2300
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:3416
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        System policy modification
        
        PID:5036
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:4808
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:4456
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:2880
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Drops file in Program Files directory
        
        PID:3416
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2144
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:4780
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3676
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        System policy modification
        
        PID:3772
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:4992
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        System policy modification
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        Drops file in Program Files directory
        
        PID:1828
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4892
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:3260
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:2748
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        System policy modification
        
        PID:3840
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:3528
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:3224
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        Drops file in Program Files directory
        
        PID:1564
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:4364
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        System policy modification
        
        PID:3300
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3892
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:5000
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:5012
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:2708
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:5020
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:4128
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        9⤵
        
        PID:1660
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\data.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        10⤵
        
        PID:868
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        System policy modification
        
        PID:3628
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:5032
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:1460
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        System policy modification
        
        PID:1096
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:660
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:4124
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:4360
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:4984
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1452
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:4592
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3984
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:4872
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:3496
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1820
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:3868
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:5084
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        Drops file in Program Files directory
        
        PID:3188
        
        C:\Program Files (x86)\Common Files\Oracle\Java\update.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\update.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:4040
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:4088
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:4820
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:4436
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:2024
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:4372
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        System policy modification
        
        PID:5048
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:180
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:5088
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:5008
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:1652
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:3760
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:3684
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:3700
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:4728
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:1148
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1000
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:4636
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2956
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        System policy modification
        
        PID:1452
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4692
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2412
      - C:\Program Files (x86)\Internet Explorer\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\System Restore.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:940
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:3324
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2300
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:3208
      - C:\Program Files (x86)\Internet Explorer\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\System Restore.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1856
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:4124
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:3220
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:5084
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4000
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1356
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:2148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        Drops file in Program Files directory
        
        PID:2116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:2508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        System policy modification
        
        PID:5116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:2300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:2052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:1084
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4832
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\
        7⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:2728
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        
        PID:3476
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{3CD8D8DB-1137-420F-B48A-D8DD06C06BAE}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{3CD8D8DB-1137-420F-B48A-D8DD06C06BAE}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{3CD8D8DB-1137-420F-B48A-D8DD06C06BAE}\
        8⤵
        
        PID:3352
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        Drops file in Program Files directory
        
        PID:1960
        
        C:\Program Files (x86)\Microsoft\Temp\EU55BC.tmp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU55BC.tmp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\EU55BC.tmp\
        7⤵
        
        PID:4272
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        Drops file in Program Files directory
        
        PID:5060
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:1244
      - C:\Program Files (x86)\Microsoft.NET\RedistList\data.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\data.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1596
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:4868
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:2848
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:428
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:1060
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4724
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3208
      - C:\Users\Admin\3D Objects\data.exe
        
        "C:\Users\Admin\3D Objects\data.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:220
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:4596
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3828
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        System policy modification
        
        PID:1636
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:444
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2508
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:4596
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:2972
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Executes dropped EXE
        
        PID:2300
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:4228
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:5036
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:856
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:5080
      - C:\Users\Admin\Videos\data.exe
        
        C:\Users\Admin\Videos\data.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:4836
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        System policy modification
        
        PID:3872
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:4436
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:1952
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2300
      - C:\Users\Public\Music\data.exe
        
        C:\Users\Public\Music\data.exe C:\Users\Public\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4896
      - C:\Users\Public\Pictures\update.exe
        
        C:\Users\Public\Pictures\update.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4364
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        System policy modification
        
        PID:1400
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:4416
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:792
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:4552
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        
        PID:1108
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:740
      - C:\Windows\appcompat\encapsulation\System Restore.exe
        
        "C:\Windows\appcompat\encapsulation\System Restore.exe" C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:4912
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:672
    - - C:\Windows\apppatch\update.exe
        
        C:\Windows\apppatch\update.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:2960
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:760
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1296
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2804
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:2208
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:2588
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        System policy modification
        
        PID:2804
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:2396
      - C:\Windows\apppatch\it-IT\data.exe
        
        C:\Windows\apppatch\it-IT\data.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:5024
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:2144
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:3292
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:4780
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:4900
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:4664
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4924
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:2120
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4168
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        
        PID:3476
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2320
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        Drops file in Windows directory
        
        PID:3516
        
        C:\Windows\assembly\GAC\mscomctl\data.exe
        
        C:\Windows\assembly\GAC\mscomctl\data.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1316
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:3880
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:4712
      - C:\Windows\assembly\GAC_32\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\System Restore.exe" C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:4688
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:5036
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3992
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:4052
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\update.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\update.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:4912
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:940
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        Drops file in Windows directory
        
        PID:3412
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:2120
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:4680
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:1928
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:4848
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3408
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3688
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:1628
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:3212
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:3984
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:4000
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:232
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:2960
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        
        PID:4428
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:4332
- C:\Users\Admin\AppData\Local\Temp\11111941\backup.exe
  C:\Users\Admin\AppData\Local\Temp\11111941\backup.exe C:\Users\Admin\AppData\Local\Temp\11111941\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3520
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3416

C:\Program Files\Java\jdk-1.8\backup.exe
"C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
1⤵
- Drops file in Program Files directory
PID:1804
- C:\Program Files\Java\jdk-1.8\bin\backup.exe
  "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
  2⤵
  PID:4560
- C:\Program Files\Java\jdk-1.8\include\backup.exe
  "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3468
- - C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
    "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
    3⤵
    - Drops file in Program Files directory
    PID:2588
  - - C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
      "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
      4⤵
      System policy modification
      PID:4672
- C:\Program Files\Java\jdk-1.8\jre\backup.exe
  "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
  2⤵
  PID:3832
- - C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
    "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
    3⤵
    PID:5036
  - - C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
      4⤵
      PID:2312
  - - C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
      4⤵
      PID:2300
  - - C:\Program Files\Java\jdk-1.8\jre\bin\server\System Restore.exe
      "C:\Program Files\Java\jdk-1.8\jre\bin\server\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3504
- - C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
    "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5064
  - - C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
      4⤵
      PID:2652
  - - C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1660
- - C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
    "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
    3⤵
    - Drops file in Program Files directory
    PID:4132
  - - C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
      4⤵
      PID:3624
  - - C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
      4⤵
      PID:2828
  - - C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5076
  - - C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
      4⤵
      System policy modification
      PID:3312
  - - C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
      4⤵
      PID:4724
  - - C:\Program Files\Java\jdk-1.8\jre\lib\fonts\update.exe
      "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
      4⤵
      PID:2872
- C:\Program Files\Java\jdk-1.8\legal\backup.exe
  "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
  2⤵
  - System policy modification
  PID:220
- - C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
    "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:3984
- - C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
    "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
    3⤵
    PID:2972
- C:\Program Files\Java\jdk-1.8\lib\backup.exe
  "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
  2⤵
  PID:316
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System Restore.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System Restore.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
  2⤵
  PID:3700

C:\Windows\apppatch\AppPatch64\backup.exe
C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
1⤵
PID:2900

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
1⤵
PID:844

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
1⤵
- Drops file in Program Files directory
PID:4904
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
  2⤵
  - System policy modification
  PID:5000

C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
1⤵
- Drops file in Program Files directory
PID:3016
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
  2⤵
  PID:1804
- - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
    "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
    3⤵
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
79KB

MD5
d3a7db4a6d3e29c9d250ef6a735fa1d7

SHA1
d4f0c2b5027f3d8d76278c85886cd554237a2640

SHA256
24488a9e607a7d4652b19faa02a9b6b79ca00384cbc18267d71420ac61eb9151

SHA512
bccb0909c4525e31908f7b4c51fd6758c1954208d911520b73eab12f2807e231acd75ed635b2b46f1e5c61ce0a9b4577bcfbfbd1b76745b29967e2c4fb38576e

Download Submit
C:\PerfLogs\backup.exe

Filesize
79KB

MD5
d3a7db4a6d3e29c9d250ef6a735fa1d7

SHA1
d4f0c2b5027f3d8d76278c85886cd554237a2640

SHA256
24488a9e607a7d4652b19faa02a9b6b79ca00384cbc18267d71420ac61eb9151

SHA512
bccb0909c4525e31908f7b4c51fd6758c1954208d911520b73eab12f2807e231acd75ed635b2b46f1e5c61ce0a9b4577bcfbfbd1b76745b29967e2c4fb38576e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
79KB

MD5
adb22a516e50ce5cbae091f91609ff2f

SHA1
79a24a141c0fd6cdcd5174b7c4675fee9f21dc47

SHA256
c144950602b83d9f0282402b65bccc7cc8116c1f5bca070c79ce5247dcb79c4b

SHA512
518fb326160d00d43021c39c4a8312fc4338f86fadaed7b896255cea2aff26dd572b7dc39013fd5fc1ccf864c30e354249a4c0ea570244c3c510caf5ec1553ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
79KB

MD5
adb22a516e50ce5cbae091f91609ff2f

SHA1
79a24a141c0fd6cdcd5174b7c4675fee9f21dc47

SHA256
c144950602b83d9f0282402b65bccc7cc8116c1f5bca070c79ce5247dcb79c4b

SHA512
518fb326160d00d43021c39c4a8312fc4338f86fadaed7b896255cea2aff26dd572b7dc39013fd5fc1ccf864c30e354249a4c0ea570244c3c510caf5ec1553ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
79KB

MD5
0a916320776cef1acd99ebe26c63254e

SHA1
d7c82748f5375d9e271e4388796b2f6e83d6e24c

SHA256
2e1fcd3c400e6f33f8429ea12d140f1b669016504ca79cb9e351380709ccc549

SHA512
45349460832ada08eb7c129ede89bf907b6085e003b2d7ea45cf13477554e5e49965fcc04929406f7143c33cea606445c82aab82f3b6ddcdb5e7cd40cbc6f7bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
79KB

MD5
0a916320776cef1acd99ebe26c63254e

SHA1
d7c82748f5375d9e271e4388796b2f6e83d6e24c

SHA256
2e1fcd3c400e6f33f8429ea12d140f1b669016504ca79cb9e351380709ccc549

SHA512
45349460832ada08eb7c129ede89bf907b6085e003b2d7ea45cf13477554e5e49965fcc04929406f7143c33cea606445c82aab82f3b6ddcdb5e7cd40cbc6f7bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
79KB

MD5
581f9d6405f9a7f70fdb3f55691a06c4

SHA1
0710d2eefc41d1ca61bcf31d3a8d5c8947454c56

SHA256
66104b18b2ee7e4fa2d5210913b6bec85bf4072873c2819f93345ef0a9275f21

SHA512
a97cd99d97a8b4d49f56276222af8edd16e405cd85de27d43a4f01b2fff134e0b22c824f7832eb12f6b793dd680b5d518d8c8bc79e7225beb153a6dda6425d54

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
79KB

MD5
581f9d6405f9a7f70fdb3f55691a06c4

SHA1
0710d2eefc41d1ca61bcf31d3a8d5c8947454c56

SHA256
66104b18b2ee7e4fa2d5210913b6bec85bf4072873c2819f93345ef0a9275f21

SHA512
a97cd99d97a8b4d49f56276222af8edd16e405cd85de27d43a4f01b2fff134e0b22c824f7832eb12f6b793dd680b5d518d8c8bc79e7225beb153a6dda6425d54

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
79KB

MD5
480515fd2f0600b0a2dba7be7d4914a7

SHA1
36aebf87ee688f71e2d67b83c2c5470be2f6e3c5

SHA256
a501d057c15a894965eac16cfd9eef318e4a647c32471b2f986fcaee4113ad1c

SHA512
70e850b99fd3e44e34043cfefe9da1584b092d6bd95db77e4f2eac158ae6f141c25b52ab9d50b4f78d623fe396f1b9dc2154e81c289a161b2fd555c96eb70974

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
79KB

MD5
480515fd2f0600b0a2dba7be7d4914a7

SHA1
36aebf87ee688f71e2d67b83c2c5470be2f6e3c5

SHA256
a501d057c15a894965eac16cfd9eef318e4a647c32471b2f986fcaee4113ad1c

SHA512
70e850b99fd3e44e34043cfefe9da1584b092d6bd95db77e4f2eac158ae6f141c25b52ab9d50b4f78d623fe396f1b9dc2154e81c289a161b2fd555c96eb70974

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
79KB

MD5
b2e95946a69ae6d24ef51baba9ba9033

SHA1
4e54215408d6c9514b3b0bf91ea7e089ba881059

SHA256
22d7affb8784b86db3dacf389ba2df87ea04ac5d65915cbec52113ddbd617c49

SHA512
bf77a50e2da6d3b238f9b0d41852bd02d7aa4067510ed7a8223059f49c130aadabd1bac7e5beac8023eb8e8097a8b4a2d360c139706ed8e414ed747ac2308e14

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
79KB

MD5
b2e95946a69ae6d24ef51baba9ba9033

SHA1
4e54215408d6c9514b3b0bf91ea7e089ba881059

SHA256
22d7affb8784b86db3dacf389ba2df87ea04ac5d65915cbec52113ddbd617c49

SHA512
bf77a50e2da6d3b238f9b0d41852bd02d7aa4067510ed7a8223059f49c130aadabd1bac7e5beac8023eb8e8097a8b4a2d360c139706ed8e414ed747ac2308e14

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
79KB

MD5
8b4be3a17bdf3ac965f217769b1f6844

SHA1
b3467d3391aad0dfbf34c57310be473e584bd81e

SHA256
f4370b13d8cbf57199267788239bb7c72fb22b2270418650197472e3617eef41

SHA512
2dc637fe70ca0f5007a99b1a6a15aa12f9897d5ea97c6f808a322e4861cfb6286fd139d39b600423da96e9bef790a421eee9290a1b47b8bce260f4a1aab3939a

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
79KB

MD5
8b4be3a17bdf3ac965f217769b1f6844

SHA1
b3467d3391aad0dfbf34c57310be473e584bd81e

SHA256
f4370b13d8cbf57199267788239bb7c72fb22b2270418650197472e3617eef41

SHA512
2dc637fe70ca0f5007a99b1a6a15aa12f9897d5ea97c6f808a322e4861cfb6286fd139d39b600423da96e9bef790a421eee9290a1b47b8bce260f4a1aab3939a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
79KB

MD5
0b18b2356cb862235b0e2ab7c1e9f41b

SHA1
b48c69b7743a716958250d787f59756f9d7abf6e

SHA256
d7e7b6d88499ef4550ef4dc8eb4ba24393861c2dd4d56962e5c1c6622fbc9b8a

SHA512
3a1eb340a742d997f302bfee351ed66ba739e71edee4a036c1ea2cedf08874abb175ac4281df8065440da743e76b23a9989b538488f62aa0be645190fa105848

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
79KB

MD5
0b18b2356cb862235b0e2ab7c1e9f41b

SHA1
b48c69b7743a716958250d787f59756f9d7abf6e

SHA256
d7e7b6d88499ef4550ef4dc8eb4ba24393861c2dd4d56962e5c1c6622fbc9b8a

SHA512
3a1eb340a742d997f302bfee351ed66ba739e71edee4a036c1ea2cedf08874abb175ac4281df8065440da743e76b23a9989b538488f62aa0be645190fa105848

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
79KB

MD5
3e04a51442846e20b0892399e4332045

SHA1
2df47d2a358d8425c7b1ddba7d5de08269c76386

SHA256
b520d631d8df8210a5f80098f6da4ce55f7f2a8cffa84d5f89e2159ba0ef014a

SHA512
8c122d1baa5400cbaf3175058e3745005dff7a55aadbb984f66c6bf3ea88ed9e32880b9a2982cc410f934b10eff1035e4e079c0e486125fb02e80fada6184e79

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
79KB

MD5
3e04a51442846e20b0892399e4332045

SHA1
2df47d2a358d8425c7b1ddba7d5de08269c76386

SHA256
b520d631d8df8210a5f80098f6da4ce55f7f2a8cffa84d5f89e2159ba0ef014a

SHA512
8c122d1baa5400cbaf3175058e3745005dff7a55aadbb984f66c6bf3ea88ed9e32880b9a2982cc410f934b10eff1035e4e079c0e486125fb02e80fada6184e79

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
79KB

MD5
d7e7db42922350500856a47efbfb41f1

SHA1
c07d9d51b2da090fff10fc019e09df8637a545da

SHA256
0a9138deef00985446b79f479b5f3d4567315d33fd1b3ffa827c8920832d1f1a

SHA512
fe88abafaac40465611b18c75783b04dff1dc06097239402bac7a878e28a431e87ede4666ee14a33751deaa3f270578e3d4875e7afcccd127b527f9889fa357a

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
79KB

MD5
d7e7db42922350500856a47efbfb41f1

SHA1
c07d9d51b2da090fff10fc019e09df8637a545da

SHA256
0a9138deef00985446b79f479b5f3d4567315d33fd1b3ffa827c8920832d1f1a

SHA512
fe88abafaac40465611b18c75783b04dff1dc06097239402bac7a878e28a431e87ede4666ee14a33751deaa3f270578e3d4875e7afcccd127b527f9889fa357a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
79KB

MD5
4109d65f537165d9151b7981a50831fb

SHA1
c5d88e531201147a1625301691f96de5fff7af9f

SHA256
01ee6a675c206164ec9431f4351f47c19ac35759c6eef574734569397b96312b

SHA512
7c4da56552a4d86646fbe431629d867c64ef90e95ef7f171170ba1959a10387804cd7f87e5713406c79e09e1e84a43878a43a3f9c9b1e5d8fde686261ec58a5b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
79KB

MD5
4109d65f537165d9151b7981a50831fb

SHA1
c5d88e531201147a1625301691f96de5fff7af9f

SHA256
01ee6a675c206164ec9431f4351f47c19ac35759c6eef574734569397b96312b

SHA512
7c4da56552a4d86646fbe431629d867c64ef90e95ef7f171170ba1959a10387804cd7f87e5713406c79e09e1e84a43878a43a3f9c9b1e5d8fde686261ec58a5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
79KB

MD5
59c771e6459896b6c7e647c18865735f

SHA1
2122e75f3ba83fe0fe9ee122cc0ca01e5556f277

SHA256
f6995885db527a5e5a1d273e582b2486137b3f1a50bf1f34a7fb233a218ac495

SHA512
b79c24b15e566996cbe164f8a9e25a07568bd28529d00e28992ef4ec81944c827fdece1e03d09d7f920486e8df3a85037b8172b6348abb3fe71b2b155b84b25c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
79KB

MD5
59c771e6459896b6c7e647c18865735f

SHA1
2122e75f3ba83fe0fe9ee122cc0ca01e5556f277

SHA256
f6995885db527a5e5a1d273e582b2486137b3f1a50bf1f34a7fb233a218ac495

SHA512
b79c24b15e566996cbe164f8a9e25a07568bd28529d00e28992ef4ec81944c827fdece1e03d09d7f920486e8df3a85037b8172b6348abb3fe71b2b155b84b25c

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
79KB

MD5
1598665e657de8f7841589efc1c9655f

SHA1
035ea3b6f80f532fa87cefb3c1e1785a0fc7c3e4

SHA256
0f917bb70a3d789cc3eb4277cffa966e6e8e17d337a1dfe7677511dcfe4ccaca

SHA512
d4be34307fed7ac4fc6746197f53d0a96e813773ad36d256120cdd32eab11c433790cdd3ac51691ebcd2867a369f3e224b6aea14b493875d0c6826b7889ae052

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
79KB

MD5
1598665e657de8f7841589efc1c9655f

SHA1
035ea3b6f80f532fa87cefb3c1e1785a0fc7c3e4

SHA256
0f917bb70a3d789cc3eb4277cffa966e6e8e17d337a1dfe7677511dcfe4ccaca

SHA512
d4be34307fed7ac4fc6746197f53d0a96e813773ad36d256120cdd32eab11c433790cdd3ac51691ebcd2867a369f3e224b6aea14b493875d0c6826b7889ae052

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
79KB

MD5
64649969c62e6596b4118c5fa34803a1

SHA1
dde035ab19a753c90722db2ec319fc6e977fedbb

SHA256
a0b79a152e5a841d08def3e50a4fc1452c7a19558245a1660fbb5cc3b18bcf5d

SHA512
27907d0e1cbcc87736fd5b6167995a258950b10cca2ee16eb2a39047ac5f02154fd9656fe877b9ddd387ab9055c3bddf1ac60ac471eb9b8c2fe0fe4e88cc64aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
79KB

MD5
64649969c62e6596b4118c5fa34803a1

SHA1
dde035ab19a753c90722db2ec319fc6e977fedbb

SHA256
a0b79a152e5a841d08def3e50a4fc1452c7a19558245a1660fbb5cc3b18bcf5d

SHA512
27907d0e1cbcc87736fd5b6167995a258950b10cca2ee16eb2a39047ac5f02154fd9656fe877b9ddd387ab9055c3bddf1ac60ac471eb9b8c2fe0fe4e88cc64aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
79KB

MD5
974c6f8f687cd74d5e8b9ad4a773e0a6

SHA1
e374d1b1e871a7f8d3a780c39020db96d2279d7b

SHA256
9a6d342d8dfcb36f281a53e5fd6febc750b05394501677827dd9f5ec3d4af0e1

SHA512
346c745b1858f3998027806f58c26bc224ef861f34760e7c1736f18e2673c374ec7eefa1943f0984e06357ba42bcaa894b3dc0c0b586b77098abba0ce574b4c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
79KB

MD5
974c6f8f687cd74d5e8b9ad4a773e0a6

SHA1
e374d1b1e871a7f8d3a780c39020db96d2279d7b

SHA256
9a6d342d8dfcb36f281a53e5fd6febc750b05394501677827dd9f5ec3d4af0e1

SHA512
346c745b1858f3998027806f58c26bc224ef861f34760e7c1736f18e2673c374ec7eefa1943f0984e06357ba42bcaa894b3dc0c0b586b77098abba0ce574b4c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
79KB

MD5
81428b2262fd926d51fe08a0e77f0d04

SHA1
89103adf7b8f263200e2b768eaf7335fa7d3243c

SHA256
f891f6db4a6695f8c029b1bdd4ad0977d4c8ae2a3b16624e07f0e8eea0b84097

SHA512
b7971b7134af286426a8e99035dccb362e6f5c928cef5d834f34e572175f98e3905b7e6cc095c77932afe6b8af8ce5151b149e67c51a8fb6b111149c67e2713e

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe

Filesize
79KB

MD5
5bc4c8f2525d7579196a9b93532fc1b8

SHA1
d343e6d30701f09c44a6be1420e95eb4e9b92266

SHA256
f00a30e2f80c35ac9132f73e24873440c8bfe6e987b58b146dbe49f5728effb1

SHA512
d391729724dce6af6ce16e736da2748bc2fbac0615681e5aa8e40064de2f11e71e5a9e4820663858435a92d2e1e19a4674cc376104aab63cba90227519f8d01f

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
79KB

MD5
18e38da6edf3629188b202bc8ac1abee

SHA1
074ecfdffe0d704322a303856340d6a11db755e8

SHA256
a2096344811b7ee2111dac9678165113621194b0676b4229c088e96939db6f6f

SHA512
2b6d2bf6274e39b9fa01b1977b391ad436b7e975f035401fca5e4bf5d759761d680eadde409f9bf99e103bf692956fbd3846b455af6a3e3f0e3fe5b1e0fa9507

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
79KB

MD5
18e38da6edf3629188b202bc8ac1abee

SHA1
074ecfdffe0d704322a303856340d6a11db755e8

SHA256
a2096344811b7ee2111dac9678165113621194b0676b4229c088e96939db6f6f

SHA512
2b6d2bf6274e39b9fa01b1977b391ad436b7e975f035401fca5e4bf5d759761d680eadde409f9bf99e103bf692956fbd3846b455af6a3e3f0e3fe5b1e0fa9507

Download Submit
C:\Program Files\Google\backup.exe

Filesize
79KB

MD5
ee36526fa760ebe3bc0923db6444eac3

SHA1
937b1046a4d765463c59c41223ddc5919de0f9a8

SHA256
50aa11de0ed538230e35eb59e550a7a3e96165140caf2739ea2842130850eded

SHA512
d4a0c1c13974dd2c5bb9dd97e237927fe01a060d93fe7e0b64bda4cc66d9b52e1cf621645e00a7bbe4c097f44a100512a5ef43bcf1ae0914c153d6093b236302

Download Submit
C:\Program Files\Google\backup.exe

Filesize
79KB

MD5
ee36526fa760ebe3bc0923db6444eac3

SHA1
937b1046a4d765463c59c41223ddc5919de0f9a8

SHA256
50aa11de0ed538230e35eb59e550a7a3e96165140caf2739ea2842130850eded

SHA512
d4a0c1c13974dd2c5bb9dd97e237927fe01a060d93fe7e0b64bda4cc66d9b52e1cf621645e00a7bbe4c097f44a100512a5ef43bcf1ae0914c153d6093b236302

Download Submit
C:\Program Files\data.exe

Filesize
79KB

MD5
d3a7db4a6d3e29c9d250ef6a735fa1d7

SHA1
d4f0c2b5027f3d8d76278c85886cd554237a2640

SHA256
24488a9e607a7d4652b19faa02a9b6b79ca00384cbc18267d71420ac61eb9151

SHA512
bccb0909c4525e31908f7b4c51fd6758c1954208d911520b73eab12f2807e231acd75ed635b2b46f1e5c61ce0a9b4577bcfbfbd1b76745b29967e2c4fb38576e

Download Submit
C:\Program Files\data.exe

Filesize
79KB

MD5
d3a7db4a6d3e29c9d250ef6a735fa1d7

SHA1
d4f0c2b5027f3d8d76278c85886cd554237a2640

SHA256
24488a9e607a7d4652b19faa02a9b6b79ca00384cbc18267d71420ac61eb9151

SHA512
bccb0909c4525e31908f7b4c51fd6758c1954208d911520b73eab12f2807e231acd75ed635b2b46f1e5c61ce0a9b4577bcfbfbd1b76745b29967e2c4fb38576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111941\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111941\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111941\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
79KB

MD5
545312d21091d96c9ca0bb8aa097cbbc

SHA1
d100763205b3b057424c118ccdfac4193289f19c

SHA256
59328702ea0af8857dfcc2ce3ec678b38972abf0afd91691da80f7fae01ec2b7

SHA512
b9c5e5fe5299c6fffae63e3186842157fa7168e11dd329675930caf9e873d73b5ad037138fc0e760ec90b6b8463540b5f58fc66d03eebe75ecc3e975d42831cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
79KB

MD5
545312d21091d96c9ca0bb8aa097cbbc

SHA1
d100763205b3b057424c118ccdfac4193289f19c

SHA256
59328702ea0af8857dfcc2ce3ec678b38972abf0afd91691da80f7fae01ec2b7

SHA512
b9c5e5fe5299c6fffae63e3186842157fa7168e11dd329675930caf9e873d73b5ad037138fc0e760ec90b6b8463540b5f58fc66d03eebe75ecc3e975d42831cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
79KB

MD5
c60f137332b5419b0e1f600945e64219

SHA1
a6316fa9fdb4ec66969efa5d8cf04beeee4e0925

SHA256
05607a052c163af66823475fb772c1d762fc8b7a5928813282a435ad5a1192e2

SHA512
a273293c6084409960fa104560d54f9f3267d0d6b1accf559d98dd2a351a4e68d5c756bae895cacc30c4b47ef6c78593bb5b27a38718bbd9522eb9f3b1eb7792

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
79KB

MD5
c60f137332b5419b0e1f600945e64219

SHA1
a6316fa9fdb4ec66969efa5d8cf04beeee4e0925

SHA256
05607a052c163af66823475fb772c1d762fc8b7a5928813282a435ad5a1192e2

SHA512
a273293c6084409960fa104560d54f9f3267d0d6b1accf559d98dd2a351a4e68d5c756bae895cacc30c4b47ef6c78593bb5b27a38718bbd9522eb9f3b1eb7792

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
79KB

MD5
7975bc04c3372b72d8f7ebfea6fddf71

SHA1
a913b19dfce42aa92be9db164c52b1405b9a969d

SHA256
54c0338062e4032add24edc38dfac2c27aa46b3a95ed773f5739ca19e6bb9c5c

SHA512
0457bd72987a7b6e9a444fe13a9fc80472dfed69d26d116aafbab0c5d65a1905c6c1abebeb3c82c6ae269d74ece4f06cf1ddc93b35c66ffc31c87189fe83d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
79KB

MD5
7975bc04c3372b72d8f7ebfea6fddf71

SHA1
a913b19dfce42aa92be9db164c52b1405b9a969d

SHA256
54c0338062e4032add24edc38dfac2c27aa46b3a95ed773f5739ca19e6bb9c5c

SHA512
0457bd72987a7b6e9a444fe13a9fc80472dfed69d26d116aafbab0c5d65a1905c6c1abebeb3c82c6ae269d74ece4f06cf1ddc93b35c66ffc31c87189fe83d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
79KB

MD5
7975bc04c3372b72d8f7ebfea6fddf71

SHA1
a913b19dfce42aa92be9db164c52b1405b9a969d

SHA256
54c0338062e4032add24edc38dfac2c27aa46b3a95ed773f5739ca19e6bb9c5c

SHA512
0457bd72987a7b6e9a444fe13a9fc80472dfed69d26d116aafbab0c5d65a1905c6c1abebeb3c82c6ae269d74ece4f06cf1ddc93b35c66ffc31c87189fe83d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
79KB

MD5
7975bc04c3372b72d8f7ebfea6fddf71

SHA1
a913b19dfce42aa92be9db164c52b1405b9a969d

SHA256
54c0338062e4032add24edc38dfac2c27aa46b3a95ed773f5739ca19e6bb9c5c

SHA512
0457bd72987a7b6e9a444fe13a9fc80472dfed69d26d116aafbab0c5d65a1905c6c1abebeb3c82c6ae269d74ece4f06cf1ddc93b35c66ffc31c87189fe83d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5AFDB992-830B-4157-B0F4-D41C68E54BA0}\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5AFDB992-830B-4157-B0F4-D41C68E54BA0}\backup.exe

Filesize
79KB

MD5
cb1cf4ef4191e7b756097d6a487a5c2b

SHA1
0ff1db18f5479ba8abdfde75ee97067a704a2e44

SHA256
040aebc11f1d03fed6977471df2e7fc38d1631b0f4260b17afc30fa8e331703a

SHA512
34c5a5b3ecf2244e12daa15e1f55db6c6e156330f22a7393a964ce846b7b502eff73c91a09f2bfc116d19fb886fa6ba9dc07ce3eaead8c5281b8f9284e667a58

Download Submit
C:\backup.exe

Filesize
79KB

MD5
d5939286d0ef6e2de895d1d285ad135b

SHA1
8fb8ebae166a0af469e37b28ad8bd119dc84fb73

SHA256
d29cf86fa4a29be16875e75c3bb2dcdeefaffb2d19c3b061498cf46c010c8d2c

SHA512
33b9354411818fd1ff7b5d65eb886334ffff1e31ed79434121e8f4ad7fd8b78a0f9c2f01904d56a0e229fd40ebfa9189f90504c2514e22eb62b3fc15c8677aa3

Download Submit
C:\backup.exe

Filesize
79KB

MD5
d5939286d0ef6e2de895d1d285ad135b

SHA1
8fb8ebae166a0af469e37b28ad8bd119dc84fb73

SHA256
d29cf86fa4a29be16875e75c3bb2dcdeefaffb2d19c3b061498cf46c010c8d2c

SHA512
33b9354411818fd1ff7b5d65eb886334ffff1e31ed79434121e8f4ad7fd8b78a0f9c2f01904d56a0e229fd40ebfa9189f90504c2514e22eb62b3fc15c8677aa3

Download Submit
C:\odt\backup.exe

Filesize
79KB

MD5
d3a7db4a6d3e29c9d250ef6a735fa1d7

SHA1
d4f0c2b5027f3d8d76278c85886cd554237a2640

SHA256
24488a9e607a7d4652b19faa02a9b6b79ca00384cbc18267d71420ac61eb9151

SHA512
bccb0909c4525e31908f7b4c51fd6758c1954208d911520b73eab12f2807e231acd75ed635b2b46f1e5c61ce0a9b4577bcfbfbd1b76745b29967e2c4fb38576e

Download Submit
C:\odt\backup.exe

Filesize
79KB

MD5
d3a7db4a6d3e29c9d250ef6a735fa1d7

SHA1
d4f0c2b5027f3d8d76278c85886cd554237a2640

SHA256
24488a9e607a7d4652b19faa02a9b6b79ca00384cbc18267d71420ac61eb9151

SHA512
bccb0909c4525e31908f7b4c51fd6758c1954208d911520b73eab12f2807e231acd75ed635b2b46f1e5c61ce0a9b4577bcfbfbd1b76745b29967e2c4fb38576e

Download Submit
memory/220-393-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/392-102-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/612-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/612-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/852-454-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1008-481-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1152-374-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1180-482-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1296-302-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1300-430-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1540-362-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1564-470-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1596-301-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1628-391-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1700-241-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1820-128-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1820-317-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1824-346-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1884-83-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2028-151-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2148-242-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2164-247-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2208-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2208-152-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2300-413-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2736-286-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2848-431-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2868-450-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3176-130-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3196-176-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3288-96-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3292-276-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3356-223-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3408-101-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3416-103-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3472-129-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3476-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3488-395-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3496-51-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3520-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3628-473-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3636-318-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3700-453-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3828-352-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3860-392-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3868-44-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3872-316-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3888-314-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3960-277-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3976-355-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4496-403-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4560-444-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4572-471-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4596-441-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4604-388-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4612-337-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4732-240-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4780-448-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4860-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4896-193-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5036-300-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5068-414-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5100-299-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5112-342-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads