0ee9df4eef50b8cfc5eb6f1529cba23f9494ec6ab31f506564e2f77a52164a3d

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe
Size

84KB
MD5

ed6cbf61c3148459ace8a533611c0a00
SHA1

c2cee7e9d683be897146534f1b4d065c04c83571
SHA256

0ee9df4eef50b8cfc5eb6f1529cba23f9494ec6ab31f506564e2f77a52164a3d
SHA512

60d11207699f40d724fa98093f8b49f46ea70b4df2dde3a26d03c6d7e0d0e60a5ea39ac48519a27b0048111003e78a218eb8b0319f36453938fc280ea099e564
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmY:BeT7BVwxfvEFwjRY

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1780	backup.exe
2560	data.exe
3436	backup.exe
4404	backup.exe
2796	backup.exe
2956	backup.exe
2160	backup.exe
4900	backup.exe
4680	backup.exe
4008	backup.exe
1220	backup.exe
5000	backup.exe
4664	backup.exe
4724	backup.exe
1008	backup.exe
4248	backup.exe
4908	backup.exe
2072	backup.exe
1900	backup.exe
4960	backup.exe
5076	backup.exe
2168	backup.exe
2560	backup.exe
812	backup.exe
4568	backup.exe
3756	backup.exe
3788	backup.exe
4672	backup.exe
2620	backup.exe
1272	backup.exe
3816	backup.exe
3836	backup.exe
948	backup.exe
2544	backup.exe
2760	data.exe
4392	backup.exe
4848	backup.exe
4076	data.exe
2548	backup.exe
764	backup.exe
4844	backup.exe
2296	backup.exe
2560	backup.exe
4640	backup.exe
2464	backup.exe
3980	System Restore.exe
2956	backup.exe
1584	backup.exe
3840	backup.exe
1940	backup.exe
4360	backup.exe
1876	backup.exe
4368	System Restore.exe
3540	backup.exe
3392	backup.exe
1808	backup.exe
4212	backup.exe
3836	System Restore.exe
1828	backup.exe
4872	backup.exe
3708	System Restore.exe
4296	backup.exe
2128	backup.exe
1792	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3732-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e63-7.dat	upx
behavioral2/files/0x0007000000022e63-6.dat	upx
behavioral2/files/0x0007000000022e65-13.dat	upx
behavioral2/files/0x0007000000022e65-11.dat	upx
behavioral2/files/0x0007000000022e65-12.dat	upx
behavioral2/files/0x0008000000022e5d-18.dat	upx
behavioral2/memory/2560-20-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e67-25.dat	upx
behavioral2/files/0x0008000000022e67-26.dat	upx
behavioral2/files/0x0008000000022e5d-19.dat	upx
behavioral2/memory/4404-30-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e69-33.dat	upx
behavioral2/files/0x0008000000022e69-32.dat	upx
behavioral2/files/0x0007000000022e6a-38.dat	upx
behavioral2/files/0x0007000000022e6a-39.dat	upx
behavioral2/memory/2956-43-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e6b-46.dat	upx
behavioral2/files/0x0008000000022e6b-45.dat	upx
behavioral2/memory/3732-50-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1780-51-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3436-52-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2796-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e6d-59.dat	upx
behavioral2/files/0x0007000000022e6e-61.dat	upx
behavioral2/files/0x0008000000022e6d-57.dat	upx
behavioral2/memory/2160-53-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4680-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e6e-60.dat	upx
behavioral2/memory/2796-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3436-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4900-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e6f-73.dat	upx
behavioral2/files/0x0007000000022e71-77.dat	upx
behavioral2/files/0x0008000000022e6f-76.dat	upx
behavioral2/files/0x0007000000022e71-75.dat	upx
behavioral2/memory/4008-84-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e95-87.dat	upx
behavioral2/files/0x0006000000022e96-90.dat	upx
behavioral2/files/0x0006000000022e96-89.dat	upx
behavioral2/files/0x0006000000022e95-88.dat	upx
behavioral2/memory/4680-96-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1220-97-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5000-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4664-99-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e99-101.dat	upx
behavioral2/memory/4664-104-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e99-103.dat	upx
behavioral2/files/0x0007000000022e91-108.dat	upx
behavioral2/files/0x0007000000022e91-109.dat	upx
behavioral2/memory/1220-110-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5000-113-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4724-112-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022ea1-118.dat	upx
behavioral2/files/0x0006000000022ea1-119.dat	upx
behavioral2/files/0x000a000000022e98-125.dat	upx
behavioral2/files/0x000a000000022e98-124.dat	upx
behavioral2/files/0x000b000000022e72-134.dat	upx
behavioral2/memory/4248-133-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e9b-153.dat	upx
behavioral2/files/0x0008000000022e9b-154.dat	upx
behavioral2/memory/1900-158-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0009000000022e9d-161.dat	upx
behavioral2/files/0x0009000000022e9d-160.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe	backup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe
1780	backup.exe
2560	data.exe
3436	backup.exe
4404	backup.exe
2796	backup.exe
2956	backup.exe
2160	backup.exe
4680	backup.exe
4900	backup.exe
4008	backup.exe
1220	backup.exe
5000	backup.exe
4664	backup.exe
4724	backup.exe
1008	backup.exe
4248	backup.exe
4908	backup.exe
2072	backup.exe
1900	backup.exe
4960	backup.exe
5076	backup.exe
2168	backup.exe
2560	backup.exe
812	backup.exe
4568	backup.exe
3756	backup.exe
3788	backup.exe
2620	backup.exe
1272	backup.exe
3816	backup.exe
4672	backup.exe
3836	backup.exe
948	backup.exe
764	backup.exe
4848	backup.exe
2548	backup.exe
2760	data.exe
4844	backup.exe
2544	backup.exe
4076	data.exe
4392	backup.exe
2296	backup.exe
2560	backup.exe
2464	backup.exe
4640	backup.exe
2956	backup.exe
3980	System Restore.exe
1584	backup.exe
1940	backup.exe
3840	backup.exe
1876	backup.exe
4368	System Restore.exe
3540	backup.exe
4360	backup.exe
3392	backup.exe
3836	System Restore.exe
1808	backup.exe
1828	backup.exe
3708	System Restore.exe
4296	backup.exe
4212	backup.exe
4872	backup.exe
2128	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 1780	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	89
PID 3732 wrote to memory of 1780	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	89
PID 3732 wrote to memory of 1780	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	89
PID 3732 wrote to memory of 2560	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	90
PID 3732 wrote to memory of 2560	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	90
PID 3732 wrote to memory of 2560	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	90
PID 3732 wrote to memory of 3436	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	92
PID 3732 wrote to memory of 3436	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	92
PID 3732 wrote to memory of 3436	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	92
PID 3732 wrote to memory of 4404	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	91
PID 3732 wrote to memory of 4404	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	91
PID 3732 wrote to memory of 4404	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	91
PID 3732 wrote to memory of 2796	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	94
PID 3732 wrote to memory of 2796	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	94
PID 3732 wrote to memory of 2796	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	94
PID 3732 wrote to memory of 2956	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	93
PID 3732 wrote to memory of 2956	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	93
PID 3732 wrote to memory of 2956	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	93
PID 3732 wrote to memory of 2160	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	95
PID 3732 wrote to memory of 2160	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	95
PID 3732 wrote to memory of 2160	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	95
PID 3732 wrote to memory of 4900	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	96
PID 3732 wrote to memory of 4900	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	96
PID 3732 wrote to memory of 4900	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	96
PID 1780 wrote to memory of 4680	1780	backup.exe	97
PID 1780 wrote to memory of 4680	1780	backup.exe	97
PID 1780 wrote to memory of 4680	1780	backup.exe	97
PID 4680 wrote to memory of 4008	4680	backup.exe	98
PID 4680 wrote to memory of 4008	4680	backup.exe	98
PID 4680 wrote to memory of 4008	4680	backup.exe	98
PID 3732 wrote to memory of 1220	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	99
PID 3732 wrote to memory of 1220	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	99
PID 3732 wrote to memory of 1220	3732	NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe	99
PID 1220 wrote to memory of 5000	1220	backup.exe	102
PID 1220 wrote to memory of 5000	1220	backup.exe	102
PID 1220 wrote to memory of 5000	1220	backup.exe	102
PID 4680 wrote to memory of 4664	4680	backup.exe	101
PID 4680 wrote to memory of 4664	4680	backup.exe	101
PID 4680 wrote to memory of 4664	4680	backup.exe	101
PID 5000 wrote to memory of 4724	5000	backup.exe	103
PID 5000 wrote to memory of 4724	5000	backup.exe	103
PID 5000 wrote to memory of 4724	5000	backup.exe	103
PID 4680 wrote to memory of 1008	4680	backup.exe	105
PID 4680 wrote to memory of 1008	4680	backup.exe	105
PID 4680 wrote to memory of 1008	4680	backup.exe	105
PID 1008 wrote to memory of 4248	1008	backup.exe	107
PID 1008 wrote to memory of 4248	1008	backup.exe	107
PID 1008 wrote to memory of 4248	1008	backup.exe	107
PID 4248 wrote to memory of 4908	4248	backup.exe	108
PID 4248 wrote to memory of 4908	4248	backup.exe	108
PID 4248 wrote to memory of 4908	4248	backup.exe	108
PID 1008 wrote to memory of 2072	1008	backup.exe	110
PID 1008 wrote to memory of 2072	1008	backup.exe	110
PID 1008 wrote to memory of 2072	1008	backup.exe	110
PID 2072 wrote to memory of 1900	2072	backup.exe	111
PID 2072 wrote to memory of 1900	2072	backup.exe	111
PID 2072 wrote to memory of 1900	2072	backup.exe	111
PID 2072 wrote to memory of 4960	2072	backup.exe	112
PID 2072 wrote to memory of 4960	2072	backup.exe	112
PID 2072 wrote to memory of 4960	2072	backup.exe	112
PID 4960 wrote to memory of 5076	4960	backup.exe	113
PID 4960 wrote to memory of 5076	4960	backup.exe	113
PID 4960 wrote to memory of 5076	4960	backup.exe	113
PID 4960 wrote to memory of 2168	4960	backup.exe	114

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ed6cbf61c3148459ace8a533611c0a00_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\{D9D737C4-409E-4204-B3B4-D15616CABAF5}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{D9D737C4-409E-4204-B3B4-D15616CABAF5}\backup.exe C:\Users\Admin\AppData\Local\Temp\{D9D737C4-409E-4204-B3B4-D15616CABAF5}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4008
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4664
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4908
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1900
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2560
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4568
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3756
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3788
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3540
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        
        PID:3252
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:5308
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:4636
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:2812
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:1416
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        System policy modification
        
        PID:4104
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:3252
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:5980
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:6044
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:1448
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:4596
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:1072
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:3748
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:6136
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:4200
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:3120
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:5948
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:5128
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:948
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4844
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2676
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:632
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\System Restore.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3980
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5040
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        Drops file in Program Files directory
        
        PID:3424
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        System policy modification
        
        PID:2232
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:2312
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:5052
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:524
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:3732
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System Restore.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:5636
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3836
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4392
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2128
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:1660
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:4636
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1132
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:4520
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        9⤵
        
        PID:4680
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        9⤵
        System policy modification
        
        PID:2936
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4492
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:5232
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:4592
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:5272
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:5936
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1856
        
        C:\Program Files\Common Files\System\msadc\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\System Restore.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:4444
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3080
        
        C:\Program Files\Common Files\System\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ja-JP\update.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:5052
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:3860
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1416
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:4176
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1588
        
        C:\Program Files\Common Files\System\Ole DB\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1052
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3208
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1272
      - C:\Program Files\Google\Chrome\data.exe
        
        "C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4212
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:1524
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2304
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:956
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4240
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:5780
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\
        11⤵
        System policy modification
        
        PID:4184
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        System policy modification
        
        PID:1668
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        System policy modification
        
        PID:1036
      - C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        6⤵
        
        PID:4676
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:764
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4360
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:3860
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1792
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:3092
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3040
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:64
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        7⤵
        
        PID:2364
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:4680
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4640
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        System policy modification
        
        PID:2268
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4828
        
        C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        
        PID:2228
        
        C:\Program Files\Java\jdk-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
        7⤵
        
        PID:5520
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\System Restore.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        8⤵
        
        PID:6104
        
        C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        8⤵
        
        PID:1964
        
        C:\Program Files\Java\jdk-1.8\jre\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
        7⤵
        
        PID:4260
        
        C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        8⤵
        
        PID:1632
        
        C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        9⤵
        
        PID:2036
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        
        PID:3980
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        Drops file in Program Files directory
        
        PID:4080
        
        C:\Program Files\Java\jre-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        
        PID:5460
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:4104
        
        C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        8⤵
        
        PID:5700
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4296
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        System policy modification
        
        PID:4588
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        System policy modification
        
        PID:4164
      - C:\Program Files\Microsoft Office\root\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\System Restore.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3836
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:1116
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:3264
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:5820
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:5756
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:1672
        
        C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        8⤵
        
        PID:5688
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        9⤵
        
        PID:520
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        10⤵
        
        PID:5388
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        10⤵
        
        PID:4780
        
        C:\Program Files\Microsoft Office\root\Licenses\update.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\update.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:976
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:1864
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:368
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1320
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:4240
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:748
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:3592
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        6⤵
        
        PID:3856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        7⤵
        
        PID:3176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        8⤵
        
        PID:2624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        8⤵
        
        PID:5084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        7⤵
        
        PID:5668
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1264
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:5204
        
        C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2124
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:4520
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:4680
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\update.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\update.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4424
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:5292
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:5632
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1672
      - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        6⤵
        
        PID:4424
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:5852
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:5204
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:5212
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3816
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:1792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:6076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:5044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:4908
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:2312
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        System policy modification
        
        PID:5016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:5968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:6016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:6108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:5628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3592
        
        C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        9⤵
        System policy modification
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:1360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:5552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:6096
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2560
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3476
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3436
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:5744
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:5248
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:5656
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:2748
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:4328
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1416
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:2300
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:4108
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3492
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:3436
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4360
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:6020
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:5436
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:5448
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3956
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:5808
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:5316
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:5052
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1132
      - C:\Program Files (x86)\Common Files\Oracle\update.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\update.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:4356
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        System policy modification
        
        PID:64
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:5648
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3392
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3796
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:4428
        
        C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        7⤵
        
        PID:5224
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        7⤵
        
        PID:464
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        7⤵
        
        PID:4360
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1136
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        System policy modification
        
        PID:5064
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:4368
        
        C:\Program Files (x86)\Google\Update\Install\{622B5345-A3DF-4616-B086-BDE38350F13B}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{622B5345-A3DF-4616-B086-BDE38350F13B}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{622B5345-A3DF-4616-B086-BDE38350F13B}\
        8⤵
        
        PID:3788
        
        C:\Program Files (x86)\Google\Update\Offline\data.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\data.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:5004
        
        C:\Program Files (x86)\Google\Update\Download\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\Download\System Restore.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Drops file in Program Files directory
        
        PID:3408
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:5544
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        
        PID:5384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:4524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:1920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:3392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:4632
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        Drops file in Program Files directory
        
        PID:1360
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\
        7⤵
        
        PID:4756
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:5592
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4308
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3540
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:4832
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:5664
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:5132
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:6136
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4076
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3840
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:608
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2072
      - C:\Users\Admin\Desktop\data.exe
        
        C:\Users\Admin\Desktop\data.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1556
        
        C:\Users\Admin\Documents\OneNote Notebooks\data.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\data.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:676
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:4628
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:5824
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:400
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:6012
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:5212
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:5772
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3776
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:224
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:3788
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:556
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:4628
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2284
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2796
      - C:\Users\Public\Music\System Restore.exe
        
        "C:\Users\Public\Music\System Restore.exe" C:\Users\Public\Music\
        6⤵
        
        PID:2796
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1612
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2464
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:3836
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:3992
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:724
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4424
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:2544
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:3796
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:608
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:4240
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:1680
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:6000
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:2796
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:2948
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1272
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:5308
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:5240
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:5612
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:5144
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:6124
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:5616
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:5836
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        System policy modification
        
        PID:2544
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:5676
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:5932
- C:\Users\Admin\AppData\Local\Temp\3877985955\data.exe
  C:\Users\Admin\AppData\Local\Temp\3877985955\data.exe C:\Users\Admin\AppData\Local\Temp\3877985955\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3436
- - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3656
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4724

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
1⤵
- System policy modification
PID:3368

C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
1⤵
PID:3104

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
"C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
1⤵
- Modifies visibility of file extensions in Explorer
PID:2944

C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
"C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
1⤵
- Modifies visibility of file extensions in Explorer
PID:1792

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
1⤵
PID:1400

C:\Program Files (x86)\Internet Explorer\images\backup.exe
"C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
1⤵
PID:772

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
1⤵
PID:2312

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
1⤵
PID:4116
- C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\
  2⤵
  PID:5696
- - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\backup.exe
    "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\
    3⤵
    PID:5244
  - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\backup.exe
      "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\
      4⤵
      PID:4296
    - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\
        5⤵
        
        PID:3364
      - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\
        6⤵
        
        PID:5156
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\GAC_MSIL\
        7⤵
        
        PID:6092
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\84CB2D97-720A-4CA7-AE34-B9EB973F43EA\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        8⤵
        
        PID:4240

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
1⤵
PID:5320

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
1⤵
PID:2228

C:\Program Files\Java\jre-1.8\legal\backup.exe
"C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
1⤵
PID:5528
- C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
  "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
  2⤵
  PID:6132
- C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
  "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
  2⤵
  PID:2100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
1⤵
PID:5900

C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
1⤵
PID:5876

C:\Windows\assembly\GAC\backup.exe
C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
1⤵
PID:5644
- C:\Windows\assembly\GAC\ADODB\backup.exe
  C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
  2⤵
  PID:2940
- C:\Windows\assembly\GAC\Extensibility\backup.exe
  C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
  2⤵
  PID:5888

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
1⤵
PID:5680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
1⤵
PID:5604

C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
1⤵
PID:5560

C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
1⤵
PID:2272
- C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
  "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
  2⤵
  PID:5600

C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
1⤵
PID:5840

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
1⤵
PID:5788
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
  2⤵
  PID:1564

C:\Program Files\Java\jre-1.8\bin\server\backup.exe
"C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
1⤵
PID:184

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
1⤵
PID:4532

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
1⤵
PID:3484

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\data.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
1⤵
PID:3944

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
1⤵
PID:1856

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
1⤵
- Modifies visibility of file extensions in Explorer
PID:1132

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
1⤵
- Modifies visibility of file extensions in Explorer
PID:524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
1⤵
- System policy modification
PID:4492

C:\Program Files\Java\jre-1.8\bin\dtplugin\update.exe
"C:\Program Files\Java\jre-1.8\bin\dtplugin\update.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
1⤵
PID:3800

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
1⤵
PID:2196

C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
1⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:4428

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
1⤵
PID:2388

C:\Program Files\Java\jre-1.8\bin\backup.exe
"C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
1⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2156

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
1⤵
PID:5864

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
1⤵
PID:1728
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
  2⤵
  PID:1596
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
    3⤵
    PID:5684

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
1⤵
PID:1432

C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
"C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
1⤵
PID:4628

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\System Restore.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
1⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
1⤵
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
84KB

MD5
6004f898ef96d759290b44b73a8c4f3e

SHA1
c8f1abbe2d74c131762f0eb60333e99be19ff5d4

SHA256
36ecf092ba4fbbab7d9eeff9800d34bc6f3bf1247306637e43d995ee979fa23c

SHA512
98469a32cf732e5a3e658157ad18457e0cbc52d7d1f0138037d496c5e68cec5248b11f7cf9aa98cc900372142d741a89f3dcf01cf395362244c46202eee720da

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
6004f898ef96d759290b44b73a8c4f3e

SHA1
c8f1abbe2d74c131762f0eb60333e99be19ff5d4

SHA256
36ecf092ba4fbbab7d9eeff9800d34bc6f3bf1247306637e43d995ee979fa23c

SHA512
98469a32cf732e5a3e658157ad18457e0cbc52d7d1f0138037d496c5e68cec5248b11f7cf9aa98cc900372142d741a89f3dcf01cf395362244c46202eee720da

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
84KB

MD5
c94feb44935527e583bad373e2d79a17

SHA1
580ef624e601b9417ae09142718a3c2085324684

SHA256
98d683290a9c8599c0c3c174d86517debd3e43a2a237db916bb98c0dd370936d

SHA512
cdfa9c62784265aba901ff03d40984cbf3b102b43706b7fd2bfcda7356f0c116daccb63f6584587e5d2ac4168de51f57146502a9f9a6c08174f47b1d1ca0bd5d

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
84KB

MD5
c94feb44935527e583bad373e2d79a17

SHA1
580ef624e601b9417ae09142718a3c2085324684

SHA256
98d683290a9c8599c0c3c174d86517debd3e43a2a237db916bb98c0dd370936d

SHA512
cdfa9c62784265aba901ff03d40984cbf3b102b43706b7fd2bfcda7356f0c116daccb63f6584587e5d2ac4168de51f57146502a9f9a6c08174f47b1d1ca0bd5d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
5c84ae5e497c1da0ae895b207ca6a1cb

SHA1
ad20c616ab5a32ae00abee2fd9afd1b9436036f9

SHA256
880f42f46705b9863a845102322f4388b44ec2abeb00f2d524b732ea9ee3c02d

SHA512
12412cbc26ca47a85849e97b3b519eb564576e6e313564f5c30e74adb9440a7b452dfb13d4e330e415011001bd374fb9decbd05d51980fd9110ae8ce6208f7c6

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
5c84ae5e497c1da0ae895b207ca6a1cb

SHA1
ad20c616ab5a32ae00abee2fd9afd1b9436036f9

SHA256
880f42f46705b9863a845102322f4388b44ec2abeb00f2d524b732ea9ee3c02d

SHA512
12412cbc26ca47a85849e97b3b519eb564576e6e313564f5c30e74adb9440a7b452dfb13d4e330e415011001bd374fb9decbd05d51980fd9110ae8ce6208f7c6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
f1648150172acb2dae784a41f70eaa8f

SHA1
54a10fa0e4330ac8590374b1d698e0f90515096a

SHA256
0d49b14a56debb864627141654abbb5f589ca118a0e6db07d5480dda6069ed29

SHA512
4545c339dc828fa922a2741e992a349ade72e4242cb680089b1ccda0f15150a7bf746a6cb602765a37e2766a2ea5dd06fd3809c6f1ec79603a7a6d11aa2e384d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
f1648150172acb2dae784a41f70eaa8f

SHA1
54a10fa0e4330ac8590374b1d698e0f90515096a

SHA256
0d49b14a56debb864627141654abbb5f589ca118a0e6db07d5480dda6069ed29

SHA512
4545c339dc828fa922a2741e992a349ade72e4242cb680089b1ccda0f15150a7bf746a6cb602765a37e2766a2ea5dd06fd3809c6f1ec79603a7a6d11aa2e384d

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
84KB

MD5
5c84ae5e497c1da0ae895b207ca6a1cb

SHA1
ad20c616ab5a32ae00abee2fd9afd1b9436036f9

SHA256
880f42f46705b9863a845102322f4388b44ec2abeb00f2d524b732ea9ee3c02d

SHA512
12412cbc26ca47a85849e97b3b519eb564576e6e313564f5c30e74adb9440a7b452dfb13d4e330e415011001bd374fb9decbd05d51980fd9110ae8ce6208f7c6

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
84KB

MD5
5c84ae5e497c1da0ae895b207ca6a1cb

SHA1
ad20c616ab5a32ae00abee2fd9afd1b9436036f9

SHA256
880f42f46705b9863a845102322f4388b44ec2abeb00f2d524b732ea9ee3c02d

SHA512
12412cbc26ca47a85849e97b3b519eb564576e6e313564f5c30e74adb9440a7b452dfb13d4e330e415011001bd374fb9decbd05d51980fd9110ae8ce6208f7c6

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
84KB

MD5
6de6bfbbd5e424b44f53e21fd729a959

SHA1
677c1c5d58eb1fa59df027b11f37ad422aad7934

SHA256
9acc035c3ab40a508216f99a6ec1707098ed03a6278523d1cc2fb544bd5555c5

SHA512
32462bbb114355948ecec5011d9b1df0b8f5107cc707da7cef33dadacac33434a4c647531d59666634568ec41107496d92cfac501af8bd2e420dc1844ac1a58c

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
84KB

MD5
6de6bfbbd5e424b44f53e21fd729a959

SHA1
677c1c5d58eb1fa59df027b11f37ad422aad7934

SHA256
9acc035c3ab40a508216f99a6ec1707098ed03a6278523d1cc2fb544bd5555c5

SHA512
32462bbb114355948ecec5011d9b1df0b8f5107cc707da7cef33dadacac33434a4c647531d59666634568ec41107496d92cfac501af8bd2e420dc1844ac1a58c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
f1648150172acb2dae784a41f70eaa8f

SHA1
54a10fa0e4330ac8590374b1d698e0f90515096a

SHA256
0d49b14a56debb864627141654abbb5f589ca118a0e6db07d5480dda6069ed29

SHA512
4545c339dc828fa922a2741e992a349ade72e4242cb680089b1ccda0f15150a7bf746a6cb602765a37e2766a2ea5dd06fd3809c6f1ec79603a7a6d11aa2e384d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
f1648150172acb2dae784a41f70eaa8f

SHA1
54a10fa0e4330ac8590374b1d698e0f90515096a

SHA256
0d49b14a56debb864627141654abbb5f589ca118a0e6db07d5480dda6069ed29

SHA512
4545c339dc828fa922a2741e992a349ade72e4242cb680089b1ccda0f15150a7bf746a6cb602765a37e2766a2ea5dd06fd3809c6f1ec79603a7a6d11aa2e384d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
84KB

MD5
8781b3d2d712d570584d8d16b27b56d4

SHA1
86ecdabb0bd41ca6c277c3c37649cd283cbaa2aa

SHA256
901ad0293b4fab64cf4213c1826e9fcf1198bb7bfb660f73e1a94bd63ce327e7

SHA512
9d6026523a20aa0f1e81fa9a7a4f018f3f8b4bd9afb0086637e6e49be0043e35d69c754f8c479ee36bafb5abdb7a10c4c40aacdf7fa8b5364f1405f3a4bbd256

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
84KB

MD5
8781b3d2d712d570584d8d16b27b56d4

SHA1
86ecdabb0bd41ca6c277c3c37649cd283cbaa2aa

SHA256
901ad0293b4fab64cf4213c1826e9fcf1198bb7bfb660f73e1a94bd63ce327e7

SHA512
9d6026523a20aa0f1e81fa9a7a4f018f3f8b4bd9afb0086637e6e49be0043e35d69c754f8c479ee36bafb5abdb7a10c4c40aacdf7fa8b5364f1405f3a4bbd256

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
84KB

MD5
069a6e7a082b2bd5407f15979dbce247

SHA1
906ddf3acc0e5648519d78d06d9a3bf98deb6f30

SHA256
0bdda658c463ce65658f3a0fcac17e893691596cfb1c96f2e5f5abf8681644c6

SHA512
e2ca5dcbe0db17809b403b73dcf5cb2e0f2256329458daa515ff3682efdd12f168e3cef2fdf68123bb9c59cfe837161d9649ea9dadbf49969843922f8b6f04bd

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

Filesize
84KB

MD5
069a6e7a082b2bd5407f15979dbce247

SHA1
906ddf3acc0e5648519d78d06d9a3bf98deb6f30

SHA256
0bdda658c463ce65658f3a0fcac17e893691596cfb1c96f2e5f5abf8681644c6

SHA512
e2ca5dcbe0db17809b403b73dcf5cb2e0f2256329458daa515ff3682efdd12f168e3cef2fdf68123bb9c59cfe837161d9649ea9dadbf49969843922f8b6f04bd

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
84KB

MD5
5c84ae5e497c1da0ae895b207ca6a1cb

SHA1
ad20c616ab5a32ae00abee2fd9afd1b9436036f9

SHA256
880f42f46705b9863a845102322f4388b44ec2abeb00f2d524b732ea9ee3c02d

SHA512
12412cbc26ca47a85849e97b3b519eb564576e6e313564f5c30e74adb9440a7b452dfb13d4e330e415011001bd374fb9decbd05d51980fd9110ae8ce6208f7c6

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
84KB

MD5
5c84ae5e497c1da0ae895b207ca6a1cb

SHA1
ad20c616ab5a32ae00abee2fd9afd1b9436036f9

SHA256
880f42f46705b9863a845102322f4388b44ec2abeb00f2d524b732ea9ee3c02d

SHA512
12412cbc26ca47a85849e97b3b519eb564576e6e313564f5c30e74adb9440a7b452dfb13d4e330e415011001bd374fb9decbd05d51980fd9110ae8ce6208f7c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
84KB

MD5
8781b3d2d712d570584d8d16b27b56d4

SHA1
86ecdabb0bd41ca6c277c3c37649cd283cbaa2aa

SHA256
901ad0293b4fab64cf4213c1826e9fcf1198bb7bfb660f73e1a94bd63ce327e7

SHA512
9d6026523a20aa0f1e81fa9a7a4f018f3f8b4bd9afb0086637e6e49be0043e35d69c754f8c479ee36bafb5abdb7a10c4c40aacdf7fa8b5364f1405f3a4bbd256

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
84KB

MD5
8781b3d2d712d570584d8d16b27b56d4

SHA1
86ecdabb0bd41ca6c277c3c37649cd283cbaa2aa

SHA256
901ad0293b4fab64cf4213c1826e9fcf1198bb7bfb660f73e1a94bd63ce327e7

SHA512
9d6026523a20aa0f1e81fa9a7a4f018f3f8b4bd9afb0086637e6e49be0043e35d69c754f8c479ee36bafb5abdb7a10c4c40aacdf7fa8b5364f1405f3a4bbd256

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
84KB

MD5
c9e5a06b701206a2084a9357dec0d94c

SHA1
291d30a1656835458cf85b4e45fdb40292891ddf

SHA256
ac64024e32a57ef9aebe919f4d849e96f40fa8f3f2dc7dfa49dd6715533f5d0f

SHA512
dbb11df5acfb806a7bc9ccdfff7c00344677ca3af31737d2735f4d50556a2bbaf24e17869c18e68bbed41fbcf635158b9ce627bba51c35a4532fafe63a14c06d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
84KB

MD5
670a99b401ba189b37596888baa239de

SHA1
dbe7b0ab7bcce302f814c66f2b9ed5a5a5842afe

SHA256
15998c8dfc88b9a8f6627dc8e3e82d8a891d7015780b0a6f4362798ff4783d9f

SHA512
0e9e46d15af1ebbeeb33776715b09d2c64c83053529d6ea59222f627e7e99f301799380449733c175a19129e5e9d72fc8ec129f5148ca2331120e182bb7caa42

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
84KB

MD5
670a99b401ba189b37596888baa239de

SHA1
dbe7b0ab7bcce302f814c66f2b9ed5a5a5842afe

SHA256
15998c8dfc88b9a8f6627dc8e3e82d8a891d7015780b0a6f4362798ff4783d9f

SHA512
0e9e46d15af1ebbeeb33776715b09d2c64c83053529d6ea59222f627e7e99f301799380449733c175a19129e5e9d72fc8ec129f5148ca2331120e182bb7caa42

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
84KB

MD5
42b6871ec10cffcb0d62b153c4d11087

SHA1
d5da1bc85f6a2142902fcc8c8f32e9cccb9d3f07

SHA256
1c2af92b84c10f7199fbb07c86832b4cb709e5f422a1c4d93cae26e0c56b3929

SHA512
50a627b803380de256b07e31b69a375ad53ec43b065dcb3b83b9ae35f7b34e2ed164764479e86e679a357c886279eea49a3d11821eaae279c0db9e39a51192f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
84KB

MD5
42b6871ec10cffcb0d62b153c4d11087

SHA1
d5da1bc85f6a2142902fcc8c8f32e9cccb9d3f07

SHA256
1c2af92b84c10f7199fbb07c86832b4cb709e5f422a1c4d93cae26e0c56b3929

SHA512
50a627b803380de256b07e31b69a375ad53ec43b065dcb3b83b9ae35f7b34e2ed164764479e86e679a357c886279eea49a3d11821eaae279c0db9e39a51192f2

Download Submit
C:\Program Files\Google\backup.exe

Filesize
84KB

MD5
5e2b513acc196ce792b4e5659143dc48

SHA1
bcdb1160c2c2e8c07dd8c8ac8122552fe9df16df

SHA256
2500ec46546f9aaed2d2fc61b250d2a4ebdb8ce5d54125c04a19445725a1ff16

SHA512
d974533af31e4dfd3f469975b880d10f8e2ca8845fe0c168f1e377031efd119b61a80cd61b9ea7077aa45430712b07ee9dbfc4d231c702ffc60fd9808ebcf122

Download Submit
C:\Program Files\Google\backup.exe

Filesize
84KB

MD5
5e2b513acc196ce792b4e5659143dc48

SHA1
bcdb1160c2c2e8c07dd8c8ac8122552fe9df16df

SHA256
2500ec46546f9aaed2d2fc61b250d2a4ebdb8ce5d54125c04a19445725a1ff16

SHA512
d974533af31e4dfd3f469975b880d10f8e2ca8845fe0c168f1e377031efd119b61a80cd61b9ea7077aa45430712b07ee9dbfc4d231c702ffc60fd9808ebcf122

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
fdc6fc2014e092f1747b3614745a3eac

SHA1
693131684ac4250e259ee9ae734669bd356150a0

SHA256
413d72f6b500a5fc1773464fe88b395df9288393d05882c2747cc675374eee1c

SHA512
d86088dfd9b565ee35a91d0cb8542952875f387f2df0e57d1078608ca5269ebcf118c6e8cb59f60986ed6a94065e43eaf9033a22fb34d982dc80b2e1dc4b47d2

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
fdc6fc2014e092f1747b3614745a3eac

SHA1
693131684ac4250e259ee9ae734669bd356150a0

SHA256
413d72f6b500a5fc1773464fe88b395df9288393d05882c2747cc675374eee1c

SHA512
d86088dfd9b565ee35a91d0cb8542952875f387f2df0e57d1078608ca5269ebcf118c6e8cb59f60986ed6a94065e43eaf9033a22fb34d982dc80b2e1dc4b47d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3877985955\data.exe

Filesize
84KB

MD5
c7cddfa4970069dca719e9a0db0cae20

SHA1
85c763daf18f1482d894c21c76f14731132c4a09

SHA256
3450856f04f9fc019f22d2e19f593fe330b18ba3516667ea40b0482afb02c77a

SHA512
4d54e7e3be0cd447684f0919b313380e9b76380f2284f3c74c190dcd04126334db348c7300adad4a31af458fbb3304a716f3e5479596f15b7289c61d9250969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3877985955\data.exe

Filesize
84KB

MD5
c7cddfa4970069dca719e9a0db0cae20

SHA1
85c763daf18f1482d894c21c76f14731132c4a09

SHA256
3450856f04f9fc019f22d2e19f593fe330b18ba3516667ea40b0482afb02c77a

SHA512
4d54e7e3be0cd447684f0919b313380e9b76380f2284f3c74c190dcd04126334db348c7300adad4a31af458fbb3304a716f3e5479596f15b7289c61d9250969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3877985955\data.exe

Filesize
84KB

MD5
c7cddfa4970069dca719e9a0db0cae20

SHA1
85c763daf18f1482d894c21c76f14731132c4a09

SHA256
3450856f04f9fc019f22d2e19f593fe330b18ba3516667ea40b0482afb02c77a

SHA512
4d54e7e3be0cd447684f0919b313380e9b76380f2284f3c74c190dcd04126334db348c7300adad4a31af458fbb3304a716f3e5479596f15b7289c61d9250969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
84KB

MD5
289a859dd0a8c79d0dd050d7e79416f2

SHA1
672627c7b63172ecd589664e2184f44f1042fe7b

SHA256
86c0b3936bfcb21c283d4e747b447b6270dd47627be8b94dbd8ea1fc614b3e8a

SHA512
5c6c1dbd88562b50968fbbf0f83f14456d91660db9cb64885ae3d819cd8a5df25590cae456254b2b299be834456d587c3e35b38534e3d462f2adbee7bce715ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
84KB

MD5
289a859dd0a8c79d0dd050d7e79416f2

SHA1
672627c7b63172ecd589664e2184f44f1042fe7b

SHA256
86c0b3936bfcb21c283d4e747b447b6270dd47627be8b94dbd8ea1fc614b3e8a

SHA512
5c6c1dbd88562b50968fbbf0f83f14456d91660db9cb64885ae3d819cd8a5df25590cae456254b2b299be834456d587c3e35b38534e3d462f2adbee7bce715ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
84KB

MD5
2ba06a512b5b1a6b9dca86d6efb3e12a

SHA1
d210a82f969582eb69cfe1082ab39b251f30149c

SHA256
b3a31417e09ecb1df3a889f4e37d1908c6291100808bde30e0980cf2e3a3a723

SHA512
193cd176d70513568015dadecb38ff8e35ad9f7b0e1cad369734f4e23df399e5f3d8d4479c86e68b9f956fbc33b2183bdadf5bf3846ea0a439c3de98cdfc2751

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
84KB

MD5
2ba06a512b5b1a6b9dca86d6efb3e12a

SHA1
d210a82f969582eb69cfe1082ab39b251f30149c

SHA256
b3a31417e09ecb1df3a889f4e37d1908c6291100808bde30e0980cf2e3a3a723

SHA512
193cd176d70513568015dadecb38ff8e35ad9f7b0e1cad369734f4e23df399e5f3d8d4479c86e68b9f956fbc33b2183bdadf5bf3846ea0a439c3de98cdfc2751

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
84KB

MD5
5bdafa5dcad7a3ee65f4a2e622c22af3

SHA1
49b618a85a9e850aeb0bb8ad0bad11b0b66ec12a

SHA256
97763baa474dd86f10c202a503f6023a358ac16a519fd6d66f110c51c8425cfc

SHA512
23b9cdc47e5cf6af6b0d7c8174e1e926ec3004d1c979fee8409cd81eca2876457b645ceca4d00129ac2e7e260f28b387145d724d203b2e2e4e3dfd5e216f536e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
84KB

MD5
5bdafa5dcad7a3ee65f4a2e622c22af3

SHA1
49b618a85a9e850aeb0bb8ad0bad11b0b66ec12a

SHA256
97763baa474dd86f10c202a503f6023a358ac16a519fd6d66f110c51c8425cfc

SHA512
23b9cdc47e5cf6af6b0d7c8174e1e926ec3004d1c979fee8409cd81eca2876457b645ceca4d00129ac2e7e260f28b387145d724d203b2e2e4e3dfd5e216f536e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
84KB

MD5
c7cddfa4970069dca719e9a0db0cae20

SHA1
85c763daf18f1482d894c21c76f14731132c4a09

SHA256
3450856f04f9fc019f22d2e19f593fe330b18ba3516667ea40b0482afb02c77a

SHA512
4d54e7e3be0cd447684f0919b313380e9b76380f2284f3c74c190dcd04126334db348c7300adad4a31af458fbb3304a716f3e5479596f15b7289c61d9250969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
84KB

MD5
c7cddfa4970069dca719e9a0db0cae20

SHA1
85c763daf18f1482d894c21c76f14731132c4a09

SHA256
3450856f04f9fc019f22d2e19f593fe330b18ba3516667ea40b0482afb02c77a

SHA512
4d54e7e3be0cd447684f0919b313380e9b76380f2284f3c74c190dcd04126334db348c7300adad4a31af458fbb3304a716f3e5479596f15b7289c61d9250969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
55392ef73352e4be6523d5e3a9a4b717

SHA1
4788394015d3fce05d1babcf9f3b6c145d2554d6

SHA256
519384aeb7be8b1b71ba817d080bfeb191962384bf8a7981cc1fa27ad49f2534

SHA512
96d607f228083e9f1cb61e3f3127b941b021911d3c8307d37b1b7cdfc616ee7f9217c30958b9bc5bb125f39958516d88af44726fcebab8543808b86090b93253

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
a380308520efc147412835c17c629812

SHA1
6cff791eed4c21ce2fc99dd23d5c667a5690faa5

SHA256
67af16eaa9f8d183ad07a5b33ffa98dec295c30933f8e3ec25c6dd36b02c7ece

SHA512
e978211983efc130287c23fd142760d5724fe5a89f264204ed6cfae9475b468ed807325a40fdc0652e3007bb0da668053d0f1c0b31eacfd6e0e387d8455c0954

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D9D737C4-409E-4204-B3B4-D15616CABAF5}\backup.exe

Filesize
84KB

MD5
c7cddfa4970069dca719e9a0db0cae20

SHA1
85c763daf18f1482d894c21c76f14731132c4a09

SHA256
3450856f04f9fc019f22d2e19f593fe330b18ba3516667ea40b0482afb02c77a

SHA512
4d54e7e3be0cd447684f0919b313380e9b76380f2284f3c74c190dcd04126334db348c7300adad4a31af458fbb3304a716f3e5479596f15b7289c61d9250969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D9D737C4-409E-4204-B3B4-D15616CABAF5}\backup.exe

Filesize
84KB

MD5
c7cddfa4970069dca719e9a0db0cae20

SHA1
85c763daf18f1482d894c21c76f14731132c4a09

SHA256
3450856f04f9fc019f22d2e19f593fe330b18ba3516667ea40b0482afb02c77a

SHA512
4d54e7e3be0cd447684f0919b313380e9b76380f2284f3c74c190dcd04126334db348c7300adad4a31af458fbb3304a716f3e5479596f15b7289c61d9250969b

Download Submit
C:\backup.exe

Filesize
84KB

MD5
1af8d20e4871474f54034edd89d7e49f

SHA1
2f995505de22a6b65a9be2f20a12d50ab31adc5f

SHA256
bd58dcdf7a770c94b3c2c2b8dae9ea7ca38a1bbbef23d1eb2af0c15262697071

SHA512
3de461cc2c5217458ab6d9cca163fb5c1f4b6fcf94a3604f96a0844f4b770b98f3d3c9eb46650d3d91ba504bdc38c5d84b7cd4b962bedd24cd3c7ccba630b218

Download Submit
C:\backup.exe

Filesize
84KB

MD5
1af8d20e4871474f54034edd89d7e49f

SHA1
2f995505de22a6b65a9be2f20a12d50ab31adc5f

SHA256
bd58dcdf7a770c94b3c2c2b8dae9ea7ca38a1bbbef23d1eb2af0c15262697071

SHA512
3de461cc2c5217458ab6d9cca163fb5c1f4b6fcf94a3604f96a0844f4b770b98f3d3c9eb46650d3d91ba504bdc38c5d84b7cd4b962bedd24cd3c7ccba630b218

Download Submit
C:\odt\backup.exe

Filesize
84KB

MD5
6004f898ef96d759290b44b73a8c4f3e

SHA1
c8f1abbe2d74c131762f0eb60333e99be19ff5d4

SHA256
36ecf092ba4fbbab7d9eeff9800d34bc6f3bf1247306637e43d995ee979fa23c

SHA512
98469a32cf732e5a3e658157ad18457e0cbc52d7d1f0138037d496c5e68cec5248b11f7cf9aa98cc900372142d741a89f3dcf01cf395362244c46202eee720da

Download Submit
C:\odt\backup.exe

Filesize
84KB

MD5
6004f898ef96d759290b44b73a8c4f3e

SHA1
c8f1abbe2d74c131762f0eb60333e99be19ff5d4

SHA256
36ecf092ba4fbbab7d9eeff9800d34bc6f3bf1247306637e43d995ee979fa23c

SHA512
98469a32cf732e5a3e658157ad18457e0cbc52d7d1f0138037d496c5e68cec5248b11f7cf9aa98cc900372142d741a89f3dcf01cf395362244c46202eee720da

Download Submit
memory/764-309-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/812-193-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-269-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-281-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1008-194-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1220-97-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1220-110-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1272-321-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1272-272-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1584-360-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1780-51-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-158-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-223-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2072-320-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2160-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2168-245-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2296-325-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2464-340-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2544-301-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2548-308-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-184-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-335-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2620-268-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2760-305-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2796-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2796-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2956-43-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2956-345-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3436-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3436-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3732-282-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3732-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3732-50-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3756-206-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3788-222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3816-275-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3836-257-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3980-359-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3980-344-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4008-84-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4076-307-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4248-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4392-302-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4404-30-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4568-202-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4640-341-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4664-99-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4664-104-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4672-253-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4672-259-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4680-96-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4680-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4724-112-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4844-310-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4844-356-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4848-358-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4848-306-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4900-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4908-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4960-237-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5000-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5000-113-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5076-171-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads