1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87

Analysis

max time kernel
155s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe
Size

72KB
MD5

7c33ce1d79b00438aaf850cc8efc37ea
SHA1

0f65a6f2442675b1271a40b9b62f3c8ca7f9e7d5
SHA256

1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87
SHA512

ec1a0dc9436bb86d8326c1301876381be0fc647c6865dd551ce884fb55807ebcd8b498cdb43d6a1685609b52650cc618895dd34d249de5b8b3c4e292cb9914f4
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr3n2:ieTce/U/hKYuKX2

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	TrustedInstaller.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe

Executes dropped EXE 64 IoCs

pid	Process
4540	backup.exe
224	backup.exe
4056	backup.exe
4516	data.exe
628	backup.exe
4664	backup.exe
3156	backup.exe
1268	backup.exe
4400	backup.exe
836	backup.exe
1984	backup.exe
4524	backup.exe
1324	backup.exe
4312	backup.exe
3296	backup.exe
3680	backup.exe
860	backup.exe
3896	backup.exe
3924	update.exe
4528	backup.exe
2264	backup.exe
4972	TrustedInstaller.exe
4736	backup.exe
904	backup.exe
760	backup.exe
4244	BackgroundTransferHost.exe
4224	backup.exe
4836	backup.exe
392	backup.exe
4820	backup.exe
232	backup.exe
4620	backup.exe
4076	backup.exe
1356	backup.exe
1756	backup.exe
4724	backup.exe
3060	backup.exe
4476	backup.exe
4388	backup.exe
1652	backup.exe
4124	backup.exe
4072	backup.exe
4364	backup.exe
4136	backup.exe
4900	backup.exe
4472	backup.exe
3296	backup.exe
436	backup.exe
4568	backup.exe
1748	backup.exe
1076	backup.exe
4452	data.exe
4460	backup.exe
2192	backup.exe
3492	backup.exe
2392	backup.exe
3104	backup.exe
3640	backup.exe
3256	backup.exe
3544	backup.exe
5012	backup.exe
4088	update.exe
2056	backup.exe
2512	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\update.exe	update.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	update.exe

Drops file in Windows directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Containers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\data.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	data.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Accessibility\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\serviced\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\shellbrd\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\update.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe
4540	backup.exe
224	backup.exe
4056	backup.exe
628	backup.exe
4516	data.exe
4664	backup.exe
3156	backup.exe
1268	backup.exe
4400	backup.exe
836	backup.exe
1984	backup.exe
4524	backup.exe
1324	backup.exe
4312	backup.exe
3296	backup.exe
3680	backup.exe
860	backup.exe
3896	backup.exe
3924	update.exe
4528	backup.exe
2264	backup.exe
4972	TrustedInstaller.exe
4736	backup.exe
904	backup.exe
760	backup.exe
4244	BackgroundTransferHost.exe
4224	backup.exe
4836	backup.exe
392	backup.exe
4820	backup.exe
232	backup.exe
4620	backup.exe
4076	backup.exe
1356	backup.exe
1756	backup.exe
4724	backup.exe
3060	backup.exe
4476	backup.exe
4388	backup.exe
1652	backup.exe
4124	backup.exe
4072	backup.exe
4364	backup.exe
4136	backup.exe
4472	backup.exe
4900	backup.exe
436	backup.exe
4568	backup.exe
3296	backup.exe
1748	backup.exe
1076	backup.exe
4460	backup.exe
4452	data.exe
2192	backup.exe
3492	backup.exe
2392	backup.exe
3104	backup.exe
3256	backup.exe
3640	backup.exe
3544	backup.exe
5012	backup.exe
4088	update.exe
2512	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 4540	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	83
PID 2940 wrote to memory of 4540	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	83
PID 2940 wrote to memory of 4540	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	83
PID 2940 wrote to memory of 224	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	84
PID 2940 wrote to memory of 224	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	84
PID 2940 wrote to memory of 224	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	84
PID 2940 wrote to memory of 4056	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	85
PID 2940 wrote to memory of 4056	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	85
PID 2940 wrote to memory of 4056	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	85
PID 4540 wrote to memory of 4516	4540	backup.exe	86
PID 4540 wrote to memory of 4516	4540	backup.exe	86
PID 4540 wrote to memory of 4516	4540	backup.exe	86
PID 2940 wrote to memory of 628	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	87
PID 2940 wrote to memory of 628	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	87
PID 2940 wrote to memory of 628	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	87
PID 2940 wrote to memory of 4664	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	88
PID 2940 wrote to memory of 4664	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	88
PID 2940 wrote to memory of 4664	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	88
PID 4516 wrote to memory of 3156	4516	data.exe	89
PID 4516 wrote to memory of 3156	4516	data.exe	89
PID 4516 wrote to memory of 3156	4516	data.exe	89
PID 2940 wrote to memory of 1268	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	90
PID 2940 wrote to memory of 1268	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	90
PID 2940 wrote to memory of 1268	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	90
PID 4516 wrote to memory of 4400	4516	data.exe	92
PID 4516 wrote to memory of 4400	4516	data.exe	92
PID 4516 wrote to memory of 4400	4516	data.exe	92
PID 2940 wrote to memory of 836	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	93
PID 2940 wrote to memory of 836	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	93
PID 2940 wrote to memory of 836	2940	1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe	93
PID 4516 wrote to memory of 1984	4516	data.exe	94
PID 4516 wrote to memory of 1984	4516	data.exe	94
PID 4516 wrote to memory of 1984	4516	data.exe	94
PID 1984 wrote to memory of 4524	1984	backup.exe	95
PID 1984 wrote to memory of 4524	1984	backup.exe	95
PID 1984 wrote to memory of 4524	1984	backup.exe	95
PID 4524 wrote to memory of 1324	4524	backup.exe	96
PID 4524 wrote to memory of 1324	4524	backup.exe	96
PID 4524 wrote to memory of 1324	4524	backup.exe	96
PID 1984 wrote to memory of 4312	1984	backup.exe	97
PID 1984 wrote to memory of 4312	1984	backup.exe	97
PID 1984 wrote to memory of 4312	1984	backup.exe	97
PID 4312 wrote to memory of 3296	4312	backup.exe	135
PID 4312 wrote to memory of 3296	4312	backup.exe	135
PID 4312 wrote to memory of 3296	4312	backup.exe	135
PID 4312 wrote to memory of 3680	4312	backup.exe	99
PID 4312 wrote to memory of 3680	4312	backup.exe	99
PID 4312 wrote to memory of 3680	4312	backup.exe	99
PID 3680 wrote to memory of 860	3680	backup.exe	100
PID 3680 wrote to memory of 860	3680	backup.exe	100
PID 3680 wrote to memory of 860	3680	backup.exe	100
PID 3680 wrote to memory of 3896	3680	backup.exe	101
PID 3680 wrote to memory of 3896	3680	backup.exe	101
PID 3680 wrote to memory of 3896	3680	backup.exe	101
PID 3896 wrote to memory of 3924	3896	backup.exe	102
PID 3896 wrote to memory of 3924	3896	backup.exe	102
PID 3896 wrote to memory of 3924	3896	backup.exe	102
PID 3896 wrote to memory of 4528	3896	backup.exe	104
PID 3896 wrote to memory of 4528	3896	backup.exe	104
PID 3896 wrote to memory of 4528	3896	backup.exe	104
PID 3896 wrote to memory of 2264	3896	backup.exe	190
PID 3896 wrote to memory of 2264	3896	backup.exe	190
PID 3896 wrote to memory of 2264	3896	backup.exe	190
PID 3896 wrote to memory of 4972	3896	backup.exe	197

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe
"C:\Users\Admin\AppData\Local\Temp\1744efdad4a959e9edad9f0e27228a7167b35688c92989f126e8bbf108029c87.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\252450727\backup.exe
  C:\Users\Admin\AppData\Local\Temp\252450727\backup.exe C:\Users\Admin\AppData\Local\Temp\252450727\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4540
- - C:\data.exe
    \data.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3156
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4400
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1984
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4312
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        
        PID:3296
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3924
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        
        PID:2264
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        
        PID:4972
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4736
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:760
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:4244
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4724
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        
        PID:4568
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:4460
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:3104
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        System policy modification
        
        PID:1804
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:1632
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4600
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:2136
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:3560
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:2864
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2652
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        System policy modification
        
        PID:2332
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1936
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1880
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2652
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4248
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4460
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:568
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:3808
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4472
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:5076
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1020
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4636
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:4984
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:4000
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3192
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:2900
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:3880
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:4256
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:3720
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:1380
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:3644
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4900
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:1076
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4904
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:3612
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:740
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:3524
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:5028
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:4632
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3552
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        8⤵
        System policy modification
        
        PID:4556
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1924
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3620
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4444
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:4388
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:436
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:4452
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:3640
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2056
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:388
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        9⤵
        System policy modification
        
        PID:4240
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1956
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\update.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\update.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        11⤵
        Drops file in Program Files directory
        
        PID:3680
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:3848
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:4100
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3060
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:4124
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:4472
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3492
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3544
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:4892
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:2936
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2184
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:5064
        
        C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        10⤵
        
        PID:4120
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:1340
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:4032
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4008
    - - C:\Program Files\Internet Explorer\update.exe
        
        "C:\Program Files\Internet Explorer\update.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3944
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:5048
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4936
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3848
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1724
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1052
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        System policy modification
        
        PID:3856
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:460
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4672
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:3320
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        System policy modification
        
        PID:1196
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\data.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        
        PID:4848
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        
        PID:1652
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        
        PID:1020
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        
        PID:4320
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\data.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        System policy modification
        
        PID:1924
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
        9⤵
        
        PID:4568
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\
        9⤵
        
        PID:4636
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4892
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\
        10⤵
        
        PID:2332
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\
        9⤵
        
        PID:4800
        
        C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        
        PID:4292
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        
        PID:2400
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4240
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3756
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3808
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
        9⤵
        System policy modification
        
        PID:3720
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1644
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        
        PID:3488
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        Disables RegEdit via registry modification
        
        PID:5048
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        System policy modification
        
        PID:404
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        
        PID:4388
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4256
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        
        PID:4912
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4352
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        10⤵
        
        PID:3164
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\
        8⤵
        
        PID:3120
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2548
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\
        9⤵
        Drops file in Program Files directory
        
        PID:2268
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\
        10⤵
        Drops file in Program Files directory
        
        PID:2172
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\
        11⤵
        Disables RegEdit via registry modification
        
        PID:3748
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\
        11⤵
        
        PID:4404
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\
        10⤵
        
        PID:1612
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:1184
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\
        10⤵
        
        PID:4316
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\
        9⤵
        
        PID:1800
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\
        10⤵
        
        PID:4072
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\
        10⤵
        
        PID:4896
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        System policy modification
        
        PID:4404
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:3748
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:4364
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:3616
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3808
        
        C:\Program Files\Java\jre1.8.0_66\lib\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\data.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:4104
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3848
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5080
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        
        PID:3024
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4100
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        System policy modification
        
        PID:648
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        
        PID:3104
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        
        PID:2868
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
        9⤵
        
        PID:3808
        
        C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
        8⤵
        
        PID:4796
        
        C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\management\
        8⤵
        
        PID:4832
        
        C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\security\
        8⤵
        
        PID:4552
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3064
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:2420
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Disables RegEdit via registry modification
        
        PID:796
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:2184
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:996
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4308
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:3844
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        System policy modification
        
        PID:1076
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\update.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\update.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:4976
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        System policy modification
        
        PID:1756
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:3056
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        System policy modification
        
        PID:1624
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:3496
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:856
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:1188
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4316
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        System policy modification
        
        PID:4508
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        Drops file in Program Files directory
        
        PID:4444
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\
        9⤵
        
        PID:1488
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:4336
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        System policy modification
        
        PID:2456
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\
        9⤵
        Drops file in Program Files directory
        
        PID:3760
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\
        10⤵
        
        PID:4228
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\
        11⤵
        
        PID:4640
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\
        12⤵
        
        PID:4776
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1948
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5072
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Drops file in Program Files directory
        
        PID:4020
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:4196
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:368
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:1616
        
        C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:1052
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:4988
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4568
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:4616
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4684
      - C:\Program Files\MSBuild\Microsoft\System Restore.exe
        
        "C:\Program Files\MSBuild\Microsoft\System Restore.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:4448
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        System policy modification
        
        PID:1652
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:4120
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\data.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\data.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        System policy modification
        
        PID:568
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:4856
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:4872
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1952
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        Drops file in Program Files directory
        
        PID:568
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:5004
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        System policy modification
        
        PID:4444
      - C:\Program Files\VideoLAN\VLC\data.exe
        
        "C:\Program Files\VideoLAN\VLC\data.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1948
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:5072
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        System policy modification
        
        PID:2984
    - - C:\Program Files\Windows Media Player\backup.exe
        
        "C:\Program Files\Windows Media Player\backup.exe" C:\Program Files\Windows Media Player\
        5⤵
        
        PID:1036
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4224
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:4364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:2192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:2400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:4320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4280
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:5076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:4020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        System policy modification
        
        PID:3496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Drops file in Program Files directory
        
        PID:3716
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:4904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:3848
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        System policy modification
        
        PID:4372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3588
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:4148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2316
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:4580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        Drops file in Program Files directory
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        Disables RegEdit via registry modification
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        
        PID:3652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        Drops file in Program Files directory
        
        PID:3168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        
        PID:3756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:2436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        
        PID:3936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:4128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        
        PID:2820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        
        PID:3096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        System policy modification
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:2376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Drops file in Program Files directory
        
        PID:4308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4596
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:1324
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2664
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\update.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:1948
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:3640
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4448
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:540
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2376
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        Disables RegEdit via registry modification
        
        PID:5048
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Drops file in Program Files directory
        
        PID:4824
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:2936
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:3056
      - C:\Program Files (x86)\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:2596
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        Drops file in Program Files directory
        
        PID:3680
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2960
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:2356
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:4480
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:4792
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3832
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:4412
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2032
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:3460
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:388
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1720
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:488
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:4268
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:3308
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:1972
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1412
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1044
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        System policy modification
        
        PID:2256
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:760
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:4564
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3260
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1612
        
        C:\Program Files (x86)\Common Files\System\Ole DB\update.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\update.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4936
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\update.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3260
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1248
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:2612
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:388
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:4100
        
        C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\
        8⤵
        
        PID:436
        
        C:\Program Files (x86)\Google\Update\Offline\data.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\data.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2172
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1036
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4432
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        Executes dropped EXE
        
        PID:2056
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4232
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3924
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:836
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        Disables RegEdit via registry modification
        
        PID:404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        Drops file in Program Files directory
        
        PID:4564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:4984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:3228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:3064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        
        PID:3564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:3488
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3784
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\
        7⤵
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:1660
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        
        PID:3756
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.167.21\data.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.167.21\data.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.167.21\
        9⤵
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\
        8⤵
        
        PID:1716
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
    - - C:\Program Files (x86)\Microsoft.NET\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft.NET\System Restore.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:3552
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4352
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3652
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        System policy modification
        
        PID:4892
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4108
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4316
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:1624
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:4012
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:4988
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        
        PID:1200
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        
        PID:4136
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2256
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:912
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:1216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        7⤵
        
        PID:2960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        8⤵
        
        PID:4352
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:5088
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:4216
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2976
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4600
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3748
      - C:\Users\Admin\Links\data.exe
        
        C:\Users\Admin\Links\data.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2984
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4124
      - C:\Users\Admin\OneDrive\data.exe
        
        C:\Users\Admin\OneDrive\data.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:5076
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:3552
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2988
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3640
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1348
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3884
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:4000
      - C:\Users\Public\Downloads\System Restore.exe
        
        "C:\Users\Public\Downloads\System Restore.exe" C:\Users\Public\Downloads\
        6⤵
        
        PID:2608
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2016
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1660
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:688
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:5064
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:1948
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4632
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:5088
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:2032
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4292
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:4648
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3260
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4568
      - C:\Windows\apppatch\AppPatch64\update.exe
        
        C:\Windows\apppatch\AppPatch64\update.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:436
      - C:\Windows\apppatch\CustomSDB\data.exe
        
        C:\Windows\apppatch\CustomSDB\data.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4128
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:1316
    - - C:\Windows\AppReadiness\data.exe
        
        C:\Windows\AppReadiness\data.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:1492
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:1868
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:1656
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        
        PID:4100
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5004
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:4960
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1924
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        
        PID:3028
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4544
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        Drops file in Windows directory
        
        PID:3600
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2832
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:1988
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4412
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:4432
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:912
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        Drops file in Windows directory
        
        PID:4260
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        System policy modification
        
        PID:1964
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:2188
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\update.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\update.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1732
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:1900
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:3976
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:4100
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2608
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        Drops file in Windows directory
        
        PID:4704
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4148
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:5048
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2324
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:4904
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\System Restore.exe
        
        "C:\Windows\assembly\GAC_MSIL\Accessibility\System Restore.exe" C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:368
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        Drops file in Windows directory
        
        PID:1340
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\
        7⤵
        
        PID:4868
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:3488
    - - C:\Windows\Branding\data.exe
        
        C:\Windows\Branding\data.exe C:\Windows\Branding\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4800
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:5092
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:4776
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3988
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        Drops file in Windows directory
        
        PID:2900
      - C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3808
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2464
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2376
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:224
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:628
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4664
- - C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
    3⤵
    PID:4700
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:836

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
1⤵
PID:4140

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
1⤵
PID:2356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
1⤵
PID:3924

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
1⤵
- Disables RegEdit via registry modification
PID:4008

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
1⤵
PID:4256
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
  2⤵
  - Drops file in Program Files directory
  PID:4120
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
    3⤵
    PID:1960
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
      4⤵
      PID:3884
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
      4⤵
      PID:1652
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
      4⤵
      Disables RegEdit via registry modification
      PID:4904
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
    3⤵
    PID:4640
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1488
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
      4⤵
      PID:1348
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
      4⤵
      PID:5096
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\System Restore.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4824
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
      4⤵
      System policy modification
      PID:4584
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:936
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1036

C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
1⤵
- Disables RegEdit via registry modification
PID:968
- C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\data.exe
  "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\data.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
  2⤵
  - Drops file in Program Files directory
  PID:1216

C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
1⤵
PID:1616
- C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
  2⤵
  PID:936
- C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
  2⤵
  - Disables RegEdit via registry modification
  PID:1076
- C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
  2⤵
  - Disables RegEdit via registry modification
  PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
36cc9f55bd8fa319ee01769cc39efe24

SHA1
15a32188ac83da606078d7bc697da48ea5351291

SHA256
0639fa82b8b9ea2b6e2a02b0a979f3090b8f4f60a0566e9abc70ca899ad45fad

SHA512
2917c7163dc74e49f218be0a3f593a7c156eed937b721f52d01b1e2efb85902edb73f7a6749fa14cf02cc370cfbd8a62b25d3037f15a4263534e10f2a3134ea8

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
36cc9f55bd8fa319ee01769cc39efe24

SHA1
15a32188ac83da606078d7bc697da48ea5351291

SHA256
0639fa82b8b9ea2b6e2a02b0a979f3090b8f4f60a0566e9abc70ca899ad45fad

SHA512
2917c7163dc74e49f218be0a3f593a7c156eed937b721f52d01b1e2efb85902edb73f7a6749fa14cf02cc370cfbd8a62b25d3037f15a4263534e10f2a3134ea8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
c944992488c3443d08bba35451ecb9c7

SHA1
a2b2bafafb12940f2fee259f23a6806cd4054ea4

SHA256
4f8276bfd6a6fdce4d3b27ebbd23645377b81c33e175e5b031bcea5ab04ff859

SHA512
55550f583a4d907cd35795ae83887b082fcfb4563e1c429b6171ee2154ddcaa11118c1af7868dc48c7048008d73153ab7a72684157aadbb17c679dbd063b8525

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
c944992488c3443d08bba35451ecb9c7

SHA1
a2b2bafafb12940f2fee259f23a6806cd4054ea4

SHA256
4f8276bfd6a6fdce4d3b27ebbd23645377b81c33e175e5b031bcea5ab04ff859

SHA512
55550f583a4d907cd35795ae83887b082fcfb4563e1c429b6171ee2154ddcaa11118c1af7868dc48c7048008d73153ab7a72684157aadbb17c679dbd063b8525

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
f295c6955da601c07efe45bc0036e770

SHA1
426ef9a6e11e7a12cd5c0cfa1647243d8f57c6f9

SHA256
1f052365d5e3522505b6348bd287315edf18ab30dec59f946037007b808e4165

SHA512
740726e3f98a46bac7e6c4e2ac7bec3e54b7f300b59bbc03c14abf64004350541d070afb857fac94e965cbaa2b9c8ad8b2e691c889d1c10d2d4d63b717cde77f

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
f295c6955da601c07efe45bc0036e770

SHA1
426ef9a6e11e7a12cd5c0cfa1647243d8f57c6f9

SHA256
1f052365d5e3522505b6348bd287315edf18ab30dec59f946037007b808e4165

SHA512
740726e3f98a46bac7e6c4e2ac7bec3e54b7f300b59bbc03c14abf64004350541d070afb857fac94e965cbaa2b9c8ad8b2e691c889d1c10d2d4d63b717cde77f

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
e4ee60148d85ee4c4b9483c228279a56

SHA1
581bcfff8fd7f2a467572ae1d8e43ebff0fb03b6

SHA256
d39f5399a9c06ff44698767230ccdcec6b2a7edcc0fc366a1245476c90bbec31

SHA512
673d51d7a8aae3468652441997eb46f9956ab37b9792bac9e01d219ef662d2573adfc0b380efb6bcd81a3bac27feb29a76a0128faab7c21e1c9e9d139703a051

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
e4ee60148d85ee4c4b9483c228279a56

SHA1
581bcfff8fd7f2a467572ae1d8e43ebff0fb03b6

SHA256
d39f5399a9c06ff44698767230ccdcec6b2a7edcc0fc366a1245476c90bbec31

SHA512
673d51d7a8aae3468652441997eb46f9956ab37b9792bac9e01d219ef662d2573adfc0b380efb6bcd81a3bac27feb29a76a0128faab7c21e1c9e9d139703a051

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
40be377ea83ceb24ee746cabc6488aed

SHA1
c094e6c5dbc5a50bf43d6d25a3ab29d48411ced7

SHA256
d53a82689ac1fa93d8582b9173babdc52e6c5573bf332539c3ad4b47b308fe7c

SHA512
a3e118fc015bd4167fe56ad87aa7389c76273cffaf38dc6acb49082eb19d4b19398d47c3151bd75984a6b3fb72235e1af752e8f6c456effca5ad7176db42b1da

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
40be377ea83ceb24ee746cabc6488aed

SHA1
c094e6c5dbc5a50bf43d6d25a3ab29d48411ced7

SHA256
d53a82689ac1fa93d8582b9173babdc52e6c5573bf332539c3ad4b47b308fe7c

SHA512
a3e118fc015bd4167fe56ad87aa7389c76273cffaf38dc6acb49082eb19d4b19398d47c3151bd75984a6b3fb72235e1af752e8f6c456effca5ad7176db42b1da

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
769ee7aa6689b2260fc23d149e9c7563

SHA1
12b1de7e2feafdfb1d72f9c15ae213859ceeec30

SHA256
4211c40b5e784a5238dba16dbd0239c45bf3f6f6acb55796282891b8fae65274

SHA512
8a160c3b54b99313d6777283f6bdd5248bfc09aaa3cfea5455561dac0cfab43af5b5e156f37f017bffa40a7ec1278bc22b646acad00cbf984b6f5dc4c6b03a14

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
769ee7aa6689b2260fc23d149e9c7563

SHA1
12b1de7e2feafdfb1d72f9c15ae213859ceeec30

SHA256
4211c40b5e784a5238dba16dbd0239c45bf3f6f6acb55796282891b8fae65274

SHA512
8a160c3b54b99313d6777283f6bdd5248bfc09aaa3cfea5455561dac0cfab43af5b5e156f37f017bffa40a7ec1278bc22b646acad00cbf984b6f5dc4c6b03a14

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
cb7a2a3d5ca78766eb2141f37b578ae7

SHA1
4e38b7dd336c03f0d799214610e2c1d171582d8d

SHA256
cf583bd528c6d974fb08b64cd82b88f5679c898a581cc31e0a9832c0ee3c44e1

SHA512
b0fb1571715d7e738c3aa6300b67173d7104ddbbb46b2f4cb8535ccc7c94fefd52477d8b4ef421673fd2bdc899ceee9ad323615b09e3c7cbfd8d227b01fe9852

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
cb7a2a3d5ca78766eb2141f37b578ae7

SHA1
4e38b7dd336c03f0d799214610e2c1d171582d8d

SHA256
cf583bd528c6d974fb08b64cd82b88f5679c898a581cc31e0a9832c0ee3c44e1

SHA512
b0fb1571715d7e738c3aa6300b67173d7104ddbbb46b2f4cb8535ccc7c94fefd52477d8b4ef421673fd2bdc899ceee9ad323615b09e3c7cbfd8d227b01fe9852

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
42b621ff3c565e11d34f64d92dabeff7

SHA1
270b1799e379312d914525799dff603aafbc239f

SHA256
488242da69b81936538ce7938818d53dab60feb83cc89a4ac600d7bdb64d3d3d

SHA512
7c572d7eac2db9dbae253603f88e00a6b1ba4cf62c5a004d6df587f0ffd90ecdb55b65b8f53c3b5c55a54cb8c926092101df82a849343e99e412e39c57b2ba6b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
42b621ff3c565e11d34f64d92dabeff7

SHA1
270b1799e379312d914525799dff603aafbc239f

SHA256
488242da69b81936538ce7938818d53dab60feb83cc89a4ac600d7bdb64d3d3d

SHA512
7c572d7eac2db9dbae253603f88e00a6b1ba4cf62c5a004d6df587f0ffd90ecdb55b65b8f53c3b5c55a54cb8c926092101df82a849343e99e412e39c57b2ba6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
888e20045fbd401b2c04ed3800c17508

SHA1
44bf89af8b07bea363a03b68b0c04f2e3d2f421b

SHA256
506ef02fd835bf0946a095916093c70db306675e4a68c9416e5b5fbf76840410

SHA512
1fbf5899a98fbe2c916a6f6e61691a30b9e2163b0568d89cc4770585c4d8e57bce52fd5d270d05545a47b9545db8e08275d7ebdb988338b64b86dad3b28cf79b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
888e20045fbd401b2c04ed3800c17508

SHA1
44bf89af8b07bea363a03b68b0c04f2e3d2f421b

SHA256
506ef02fd835bf0946a095916093c70db306675e4a68c9416e5b5fbf76840410

SHA512
1fbf5899a98fbe2c916a6f6e61691a30b9e2163b0568d89cc4770585c4d8e57bce52fd5d270d05545a47b9545db8e08275d7ebdb988338b64b86dad3b28cf79b

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
cb7a2a3d5ca78766eb2141f37b578ae7

SHA1
4e38b7dd336c03f0d799214610e2c1d171582d8d

SHA256
cf583bd528c6d974fb08b64cd82b88f5679c898a581cc31e0a9832c0ee3c44e1

SHA512
b0fb1571715d7e738c3aa6300b67173d7104ddbbb46b2f4cb8535ccc7c94fefd52477d8b4ef421673fd2bdc899ceee9ad323615b09e3c7cbfd8d227b01fe9852

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
cb7a2a3d5ca78766eb2141f37b578ae7

SHA1
4e38b7dd336c03f0d799214610e2c1d171582d8d

SHA256
cf583bd528c6d974fb08b64cd82b88f5679c898a581cc31e0a9832c0ee3c44e1

SHA512
b0fb1571715d7e738c3aa6300b67173d7104ddbbb46b2f4cb8535ccc7c94fefd52477d8b4ef421673fd2bdc899ceee9ad323615b09e3c7cbfd8d227b01fe9852

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
a392379e077e9ffb87aa76131f0891e9

SHA1
66189e5f4a47624209a51cedcac8c8780d7b844f

SHA256
4a547cf882d9fda2bdeb53e9b5a063ff053f37f0ab10812283fe0fb6d0a6f5d1

SHA512
7d06ae312c1a3fc116dd630e17c53bec50d5c907f01a4be2b408ec4e699c2e39a3db2cb38f4858dc9d9f12d68f226d0b3f0bacb3971213f6bcd1871e6660a762

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\update.exe

Filesize
72KB

MD5
a392379e077e9ffb87aa76131f0891e9

SHA1
66189e5f4a47624209a51cedcac8c8780d7b844f

SHA256
4a547cf882d9fda2bdeb53e9b5a063ff053f37f0ab10812283fe0fb6d0a6f5d1

SHA512
7d06ae312c1a3fc116dd630e17c53bec50d5c907f01a4be2b408ec4e699c2e39a3db2cb38f4858dc9d9f12d68f226d0b3f0bacb3971213f6bcd1871e6660a762

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
d00658f73b5b8216567370f815e6a208

SHA1
757cabba2af6f6175a2bbf1dabb423f13ce75148

SHA256
5bcf8a7c1fbcae4b795139b043321fdb77720d828a62a5be956180cc3d92b350

SHA512
b4c56f895f1731bc14591e40d0fca93db5e4b4a70516417da5f3f472a8320fcef4890f56709f541509b5196c9c4db8352a07a16199a789aace7b61158b58c492

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
d00658f73b5b8216567370f815e6a208

SHA1
757cabba2af6f6175a2bbf1dabb423f13ce75148

SHA256
5bcf8a7c1fbcae4b795139b043321fdb77720d828a62a5be956180cc3d92b350

SHA512
b4c56f895f1731bc14591e40d0fca93db5e4b4a70516417da5f3f472a8320fcef4890f56709f541509b5196c9c4db8352a07a16199a789aace7b61158b58c492

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e23bb97d251cf378f74b351ff0fa4b2f

SHA1
55db8b7c853010bd38edf638ff27c4c4958759ef

SHA256
ea47d96aec68738f106b9397006907891a3df630ba123252724b067dcc3ce419

SHA512
fcb7f2757d26619cf608696c6d974c6c4bf15a43769292568ba66c8f80046c511667a99f6add6ce8536fbba799e706cbdfe848b70106ac2541c042baaae4557f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
e23bb97d251cf378f74b351ff0fa4b2f

SHA1
55db8b7c853010bd38edf638ff27c4c4958759ef

SHA256
ea47d96aec68738f106b9397006907891a3df630ba123252724b067dcc3ce419

SHA512
fcb7f2757d26619cf608696c6d974c6c4bf15a43769292568ba66c8f80046c511667a99f6add6ce8536fbba799e706cbdfe848b70106ac2541c042baaae4557f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
e23bb97d251cf378f74b351ff0fa4b2f

SHA1
55db8b7c853010bd38edf638ff27c4c4958759ef

SHA256
ea47d96aec68738f106b9397006907891a3df630ba123252724b067dcc3ce419

SHA512
fcb7f2757d26619cf608696c6d974c6c4bf15a43769292568ba66c8f80046c511667a99f6add6ce8536fbba799e706cbdfe848b70106ac2541c042baaae4557f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
e23bb97d251cf378f74b351ff0fa4b2f

SHA1
55db8b7c853010bd38edf638ff27c4c4958759ef

SHA256
ea47d96aec68738f106b9397006907891a3df630ba123252724b067dcc3ce419

SHA512
fcb7f2757d26619cf608696c6d974c6c4bf15a43769292568ba66c8f80046c511667a99f6add6ce8536fbba799e706cbdfe848b70106ac2541c042baaae4557f

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe

Filesize
72KB

MD5
8aa6f5d16060f129d92047cbebacaf60

SHA1
6c38a9bd9e0d19db702493fff7ada4601258f8fa

SHA256
f5ecdb0819c7dce69f1edbba17ee2cb1f7bcd02062fe649b9a2be9b16e9b5cf4

SHA512
1cf60aaf7199664632fa7f157c10f83bf568c57f47eddfbc84a1eaae1506e6d291bc478f75f3c48213ca96dd4e828e3c2efd305a4c3ad93a4c0197aab0757159

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe

Filesize
72KB

MD5
8aa6f5d16060f129d92047cbebacaf60

SHA1
6c38a9bd9e0d19db702493fff7ada4601258f8fa

SHA256
f5ecdb0819c7dce69f1edbba17ee2cb1f7bcd02062fe649b9a2be9b16e9b5cf4

SHA512
1cf60aaf7199664632fa7f157c10f83bf568c57f47eddfbc84a1eaae1506e6d291bc478f75f3c48213ca96dd4e828e3c2efd305a4c3ad93a4c0197aab0757159

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
8aa6f5d16060f129d92047cbebacaf60

SHA1
6c38a9bd9e0d19db702493fff7ada4601258f8fa

SHA256
f5ecdb0819c7dce69f1edbba17ee2cb1f7bcd02062fe649b9a2be9b16e9b5cf4

SHA512
1cf60aaf7199664632fa7f157c10f83bf568c57f47eddfbc84a1eaae1506e6d291bc478f75f3c48213ca96dd4e828e3c2efd305a4c3ad93a4c0197aab0757159

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
8aa6f5d16060f129d92047cbebacaf60

SHA1
6c38a9bd9e0d19db702493fff7ada4601258f8fa

SHA256
f5ecdb0819c7dce69f1edbba17ee2cb1f7bcd02062fe649b9a2be9b16e9b5cf4

SHA512
1cf60aaf7199664632fa7f157c10f83bf568c57f47eddfbc84a1eaae1506e6d291bc478f75f3c48213ca96dd4e828e3c2efd305a4c3ad93a4c0197aab0757159

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
d5ac130f5634e5e9e536d7873752edef

SHA1
def4980460960ce7e92f2a6473b370d391ff012b

SHA256
9473c8e7760d7f2f25e489346ddf0133817aefb744ccce491326240aba693e3e

SHA512
dd14d04a2d1d9ab9211120a408466db2b0388761a8d91f3e288d257484d25635e4f0966c40c97a102ec4a601e537cacce6dc133e320152bcb7830ed7a6b13e7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
d5ac130f5634e5e9e536d7873752edef

SHA1
def4980460960ce7e92f2a6473b370d391ff012b

SHA256
9473c8e7760d7f2f25e489346ddf0133817aefb744ccce491326240aba693e3e

SHA512
dd14d04a2d1d9ab9211120a408466db2b0388761a8d91f3e288d257484d25635e4f0966c40c97a102ec4a601e537cacce6dc133e320152bcb7830ed7a6b13e7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
d5ac130f5634e5e9e536d7873752edef

SHA1
def4980460960ce7e92f2a6473b370d391ff012b

SHA256
9473c8e7760d7f2f25e489346ddf0133817aefb744ccce491326240aba693e3e

SHA512
dd14d04a2d1d9ab9211120a408466db2b0388761a8d91f3e288d257484d25635e4f0966c40c97a102ec4a601e537cacce6dc133e320152bcb7830ed7a6b13e7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
d5ac130f5634e5e9e536d7873752edef

SHA1
def4980460960ce7e92f2a6473b370d391ff012b

SHA256
9473c8e7760d7f2f25e489346ddf0133817aefb744ccce491326240aba693e3e

SHA512
dd14d04a2d1d9ab9211120a408466db2b0388761a8d91f3e288d257484d25635e4f0966c40c97a102ec4a601e537cacce6dc133e320152bcb7830ed7a6b13e7c

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe

Filesize
72KB

MD5
8026a0fbe013aa13f0ebe191d7ae1820

SHA1
1bf2a98ef4c6990ab768533fc410cb8146e77cb2

SHA256
c302a1dfe1526f3503778536dafce38346d1e11e3cb73f004b7509513abc7247

SHA512
2e52b97b0acfb4bd0c1c461fef036d516616789baf9a2bbae991d1da8184d2c8f7fd4b60368cdf7505f254383e0d6c186344132b712465507bb25745cb2de898

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe

Filesize
72KB

MD5
8026a0fbe013aa13f0ebe191d7ae1820

SHA1
1bf2a98ef4c6990ab768533fc410cb8146e77cb2

SHA256
c302a1dfe1526f3503778536dafce38346d1e11e3cb73f004b7509513abc7247

SHA512
2e52b97b0acfb4bd0c1c461fef036d516616789baf9a2bbae991d1da8184d2c8f7fd4b60368cdf7505f254383e0d6c186344132b712465507bb25745cb2de898

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
ff2634a36d3deb7e4e08516eb12d9d62

SHA1
642021085dbbb6376d94fcd1eec681fd76f4ff3a

SHA256
205e2a0587981e963abe48f976e9e284abbbc4835d440202aa95c52ebebacf08

SHA512
3cc0b80a1a73ce40c3e7ae4d5c4e1295cc27fe562c4abb4711dd2f04a9932606d3848b04bdfd8e26849fee07dbcf91d22e7bd4325d18b6f6cfcb8795976ace21

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
ff2634a36d3deb7e4e08516eb12d9d62

SHA1
642021085dbbb6376d94fcd1eec681fd76f4ff3a

SHA256
205e2a0587981e963abe48f976e9e284abbbc4835d440202aa95c52ebebacf08

SHA512
3cc0b80a1a73ce40c3e7ae4d5c4e1295cc27fe562c4abb4711dd2f04a9932606d3848b04bdfd8e26849fee07dbcf91d22e7bd4325d18b6f6cfcb8795976ace21

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
ff2634a36d3deb7e4e08516eb12d9d62

SHA1
642021085dbbb6376d94fcd1eec681fd76f4ff3a

SHA256
205e2a0587981e963abe48f976e9e284abbbc4835d440202aa95c52ebebacf08

SHA512
3cc0b80a1a73ce40c3e7ae4d5c4e1295cc27fe562c4abb4711dd2f04a9932606d3848b04bdfd8e26849fee07dbcf91d22e7bd4325d18b6f6cfcb8795976ace21

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
ff2634a36d3deb7e4e08516eb12d9d62

SHA1
642021085dbbb6376d94fcd1eec681fd76f4ff3a

SHA256
205e2a0587981e963abe48f976e9e284abbbc4835d440202aa95c52ebebacf08

SHA512
3cc0b80a1a73ce40c3e7ae4d5c4e1295cc27fe562c4abb4711dd2f04a9932606d3848b04bdfd8e26849fee07dbcf91d22e7bd4325d18b6f6cfcb8795976ace21

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
43874227bcfffc97064f3cc4e746c5e7

SHA1
7b4625f268c07c585be7f411ca857447c676ca44

SHA256
db80af9dd4d36f3ab6ad947acecef10b7a482a16be1dcb6c4ccc0858702d41be

SHA512
d714d57a19253a17ba57d1b77d5f5f6b6bc24129706804399640b0f66562e1e79099b48f7fe8270e6d9a783003c161aeef2ded4d1c64b8b8e46ff6a9e2cf5b7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
43874227bcfffc97064f3cc4e746c5e7

SHA1
7b4625f268c07c585be7f411ca857447c676ca44

SHA256
db80af9dd4d36f3ab6ad947acecef10b7a482a16be1dcb6c4ccc0858702d41be

SHA512
d714d57a19253a17ba57d1b77d5f5f6b6bc24129706804399640b0f66562e1e79099b48f7fe8270e6d9a783003c161aeef2ded4d1c64b8b8e46ff6a9e2cf5b7b

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
36213ef101f87fc4bd19ea0e2b90b254

SHA1
f1a65eb7433261067ce8568408a718d1fdc425e1

SHA256
7296efd14623527e16dc642827b4b0b34cfd0052b1ce4f6b6c9e1984528a867b

SHA512
19cdb9de2b368982a053a67d819d312395c0d5380747fa17fcf6daf7968a094c1638fe748db804848909932b2db41e08867746a0b43056d731cacf93837439c9

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
36213ef101f87fc4bd19ea0e2b90b254

SHA1
f1a65eb7433261067ce8568408a718d1fdc425e1

SHA256
7296efd14623527e16dc642827b4b0b34cfd0052b1ce4f6b6c9e1984528a867b

SHA512
19cdb9de2b368982a053a67d819d312395c0d5380747fa17fcf6daf7968a094c1638fe748db804848909932b2db41e08867746a0b43056d731cacf93837439c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\252450727\backup.exe

Filesize
72KB

MD5
fbafd8524211ace2d4fa4f75e4ccf312

SHA1
8e012859a01af101bbb4ed230aea540ca50adc2d

SHA256
b6df3408c81304e4af4fd456329a6ffd9f4f25305d5f0e42a450a12d44b13a3d

SHA512
9db78f53f5ed7385869e4fc502cd97573a6e3698d0bd26381cbecee97dd38ec1605497442d677ee9debe8818dd7a5e5ea487080143f135917251a2deaf214c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\252450727\backup.exe

Filesize
72KB

MD5
fbafd8524211ace2d4fa4f75e4ccf312

SHA1
8e012859a01af101bbb4ed230aea540ca50adc2d

SHA256
b6df3408c81304e4af4fd456329a6ffd9f4f25305d5f0e42a450a12d44b13a3d

SHA512
9db78f53f5ed7385869e4fc502cd97573a6e3698d0bd26381cbecee97dd38ec1605497442d677ee9debe8818dd7a5e5ea487080143f135917251a2deaf214c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
2faac464d3f8db5a22099542918642b3

SHA1
d9b816e975219be8c6840dd0ddba1ad13743bc5e

SHA256
88812a4a2dcbb4bcff2d5db559ffc1103da1674b972afa03d1cfe1a750f1742c

SHA512
e27d5397ba9b31a54bc44979569190d1cf2f7a100daa13de0e11e0187ca7ea3e0694b93d7b3740b9dadbf8c42e058ba740b89701f6f226e6e4c49c8377a494aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
2faac464d3f8db5a22099542918642b3

SHA1
d9b816e975219be8c6840dd0ddba1ad13743bc5e

SHA256
88812a4a2dcbb4bcff2d5db559ffc1103da1674b972afa03d1cfe1a750f1742c

SHA512
e27d5397ba9b31a54bc44979569190d1cf2f7a100daa13de0e11e0187ca7ea3e0694b93d7b3740b9dadbf8c42e058ba740b89701f6f226e6e4c49c8377a494aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4aa3e31b4a879192ad9f08fa645575b8

SHA1
ebb7486de85a69bc46c22cddb15a3adea5e3a1b5

SHA256
9c20f91eb049bb5f634fc29f5ee2b7fa4b4ca39a04099b3b5b48b30ef09a0ca5

SHA512
0b3c95fc466354c205a7a3bf65dcd3ff0d672c6cafa713fef9061746ca0c5d9f8b5f64dbb458a7fa5b3e50d7e99926e8d2542e946262654e42712a7208e9f1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4aa3e31b4a879192ad9f08fa645575b8

SHA1
ebb7486de85a69bc46c22cddb15a3adea5e3a1b5

SHA256
9c20f91eb049bb5f634fc29f5ee2b7fa4b4ca39a04099b3b5b48b30ef09a0ca5

SHA512
0b3c95fc466354c205a7a3bf65dcd3ff0d672c6cafa713fef9061746ca0c5d9f8b5f64dbb458a7fa5b3e50d7e99926e8d2542e946262654e42712a7208e9f1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4aa3e31b4a879192ad9f08fa645575b8

SHA1
ebb7486de85a69bc46c22cddb15a3adea5e3a1b5

SHA256
9c20f91eb049bb5f634fc29f5ee2b7fa4b4ca39a04099b3b5b48b30ef09a0ca5

SHA512
0b3c95fc466354c205a7a3bf65dcd3ff0d672c6cafa713fef9061746ca0c5d9f8b5f64dbb458a7fa5b3e50d7e99926e8d2542e946262654e42712a7208e9f1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4aa3e31b4a879192ad9f08fa645575b8

SHA1
ebb7486de85a69bc46c22cddb15a3adea5e3a1b5

SHA256
9c20f91eb049bb5f634fc29f5ee2b7fa4b4ca39a04099b3b5b48b30ef09a0ca5

SHA512
0b3c95fc466354c205a7a3bf65dcd3ff0d672c6cafa713fef9061746ca0c5d9f8b5f64dbb458a7fa5b3e50d7e99926e8d2542e946262654e42712a7208e9f1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
8daec649619035c27e9c86fd932a59df

SHA1
59e66b4efc83bfd009177de8026e12adf0e68456

SHA256
c92acc18be96562ec324890f76d255fd82ab0a6aa975f2cfb637e51b1a80e28d

SHA512
5f56acc47ae9668a933ee4a4ed2cdabf130100999cf619b589edf526bf6c9ea0d6bb89f78d5483e6d531c4146b47f617ac48f39ba3a75804df48075e6ea78b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
8daec649619035c27e9c86fd932a59df

SHA1
59e66b4efc83bfd009177de8026e12adf0e68456

SHA256
c92acc18be96562ec324890f76d255fd82ab0a6aa975f2cfb637e51b1a80e28d

SHA512
5f56acc47ae9668a933ee4a4ed2cdabf130100999cf619b589edf526bf6c9ea0d6bb89f78d5483e6d531c4146b47f617ac48f39ba3a75804df48075e6ea78b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
8daec649619035c27e9c86fd932a59df

SHA1
59e66b4efc83bfd009177de8026e12adf0e68456

SHA256
c92acc18be96562ec324890f76d255fd82ab0a6aa975f2cfb637e51b1a80e28d

SHA512
5f56acc47ae9668a933ee4a4ed2cdabf130100999cf619b589edf526bf6c9ea0d6bb89f78d5483e6d531c4146b47f617ac48f39ba3a75804df48075e6ea78b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
8daec649619035c27e9c86fd932a59df

SHA1
59e66b4efc83bfd009177de8026e12adf0e68456

SHA256
c92acc18be96562ec324890f76d255fd82ab0a6aa975f2cfb637e51b1a80e28d

SHA512
5f56acc47ae9668a933ee4a4ed2cdabf130100999cf619b589edf526bf6c9ea0d6bb89f78d5483e6d531c4146b47f617ac48f39ba3a75804df48075e6ea78b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
3aae016e83909afc2d729ac5c8eb3ded

SHA1
d7f41e6a65d529a6c90096091ba81a290748dc2e

SHA256
9f75b373252de8074048a82658b90d4cf44289e118116e353edb1b54c201c3ce

SHA512
56815b7adaf3bc94315dfcc5f2b77ea7ba47281014f808e2c9a71358d1bf0e7f2d88522982427699b6be041f99f0b6307b97cb06c8d638f434df11c228af27f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
3aae016e83909afc2d729ac5c8eb3ded

SHA1
d7f41e6a65d529a6c90096091ba81a290748dc2e

SHA256
9f75b373252de8074048a82658b90d4cf44289e118116e353edb1b54c201c3ce

SHA512
56815b7adaf3bc94315dfcc5f2b77ea7ba47281014f808e2c9a71358d1bf0e7f2d88522982427699b6be041f99f0b6307b97cb06c8d638f434df11c228af27f8

Download Submit
C:\data.exe

Filesize
72KB

MD5
1ca270817e074498dce3513105a8eff6

SHA1
56e42d05892c9e810c7099d9f5e93da4917df1ae

SHA256
d07f2854e3a0d896772d275fe2dab3c456af76d95f31c648e59277457f301acc

SHA512
2c6efbe8ea7bd8c6c7f3f9a95944986f39e8490b1a4e73269dd17cd66c5a27a942d88dedaaf70c9ddff0969050f3412d2178101a030f34203b060fa6f8f9c93c

Download Submit
C:\data.exe

Filesize
72KB

MD5
1ca270817e074498dce3513105a8eff6

SHA1
56e42d05892c9e810c7099d9f5e93da4917df1ae

SHA256
d07f2854e3a0d896772d275fe2dab3c456af76d95f31c648e59277457f301acc

SHA512
2c6efbe8ea7bd8c6c7f3f9a95944986f39e8490b1a4e73269dd17cd66c5a27a942d88dedaaf70c9ddff0969050f3412d2178101a030f34203b060fa6f8f9c93c

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
a38c42202ceae27deaf8e9df9f7e656c

SHA1
b314c9b99340016c73df80649ed034161572c196

SHA256
b9d78bf1f18f35e870f6828491554a40664bab3fdbf8d46a0489e79a8a7ae7ef

SHA512
0f068188d2fc18fb3699e41ce7b735a72d1ea09132e56cbcc0c54b2ab464a728eb187acebf958523bb7db71fd11ba3550d0dc63e317db1d1d379a2aeacbcabff

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
a38c42202ceae27deaf8e9df9f7e656c

SHA1
b314c9b99340016c73df80649ed034161572c196

SHA256
b9d78bf1f18f35e870f6828491554a40664bab3fdbf8d46a0489e79a8a7ae7ef

SHA512
0f068188d2fc18fb3699e41ce7b735a72d1ea09132e56cbcc0c54b2ab464a728eb187acebf958523bb7db71fd11ba3550d0dc63e317db1d1d379a2aeacbcabff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads