204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f

Analysis

max time kernel
152s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe
Size

72KB
MD5

45fb891857d5820c940fe056d5668570
SHA1

772d858e3a9da147fadcff9672bf8608c30e3009
SHA256

204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f
SHA512

70364f28b39f1de585867d41cefab19fcd55c93f302578edb9ed8bdec186fc266f36bfd8eb039d9cb184bce65ae18374b93c9bfcb3f636e16232913dc4e2e13e
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2W:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr6

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
916	backup.exe
2172	backup.exe
4788	backup.exe
4740	backup.exe
4652	backup.exe
1932	backup.exe
3400	backup.exe
4312	backup.exe
1800	backup.exe
848	backup.exe
5020	backup.exe
4692	backup.exe
320	backup.exe
2128	backup.exe
1004	data.exe
3492	backup.exe
4680	backup.exe
2736	backup.exe
3680	backup.exe
5016	backup.exe
4792	backup.exe
4944	backup.exe
624	backup.exe
1460	backup.exe
1140	backup.exe
3508	backup.exe
2604	backup.exe
3976	System Restore.exe
3744	backup.exe
2224	backup.exe
2628	backup.exe
2452	backup.exe
3792	data.exe
4236	backup.exe
4564	backup.exe
2924	backup.exe
5100	backup.exe
4716	backup.exe
3476	backup.exe
2056	backup.exe
5024	backup.exe
4020	backup.exe
3952	backup.exe
4780	backup.exe
2912	data.exe
4684	backup.exe
4656	backup.exe
4280	backup.exe
4664	backup.exe
4264	backup.exe
1788	backup.exe
812	backup.exe
4728	backup.exe
4492	backup.exe
4488	backup.exe
2984	backup.exe
684	backup.exe
1836	backup.exe
4988	backup.exe
2088	backup.exe
4936	backup.exe
744	backup.exe
4932	backup.exe
2060	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe	Process not Found
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\3082\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\backup.exe	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\backup.exe	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\backup.exe	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\backup.exe	Process not Found
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe	Process not Found
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe	backup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_64\System.Data.OracleClient\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\backup.exe	Process not Found
File opened for modification	C:\Windows\apppatch\AppPatch64\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\Globalization\ELS\SpellDictionaries\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Help\OEM\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\update.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\data.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\System.Web\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Globalization\ELS\HyphenationDictionaries\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\Help\mui\040C\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\Fonts\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Printing\backup.exe	backup.exe
File opened for modification	C:\Windows\Globalization\ICU\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\e7a3b638f7646fc8439936218d34b2b7\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\debug\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\927a00c8d6c2756ed97e610e209e12ab\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\Globalization\Sorting\backup.exe	Process not Found
File opened for modification	C:\Windows\Help\Corporate\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe	backup.exe
File opened for modification	C:\Windows\Globalization\backup.exe	backup.exe
File opened for modification	C:\Windows\Help\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe
916	backup.exe
2172	backup.exe
4788	backup.exe
4740	backup.exe
4652	backup.exe
1932	backup.exe
3400	backup.exe
4312	backup.exe
1800	backup.exe
848	backup.exe
5020	backup.exe
4692	backup.exe
320	backup.exe
1004	data.exe
2128	backup.exe
3492	backup.exe
4680	backup.exe
3680	backup.exe
2736	backup.exe
5016	backup.exe
4792	backup.exe
4944	backup.exe
624	backup.exe
1460	backup.exe
1140	backup.exe
3508	backup.exe
2604	backup.exe
3744	backup.exe
3976	System Restore.exe
2224	backup.exe
2628	backup.exe
2452	backup.exe
3792	data.exe
4236	backup.exe
2924	backup.exe
4564	backup.exe
5100	backup.exe
4716	backup.exe
3476	backup.exe
2056	backup.exe
5024	backup.exe
4020	backup.exe
3952	backup.exe
4780	backup.exe
2912	data.exe
4656	backup.exe
4684	backup.exe
4280	backup.exe
4664	backup.exe
4264	backup.exe
1788	backup.exe
812	backup.exe
4728	backup.exe
4488	backup.exe
4492	backup.exe
2984	backup.exe
684	backup.exe
4988	backup.exe
1836	backup.exe
2088	backup.exe
4936	backup.exe
744	backup.exe
4932	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 916	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	81
PID 2180 wrote to memory of 916	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	81
PID 2180 wrote to memory of 916	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	81
PID 2180 wrote to memory of 2172	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	82
PID 2180 wrote to memory of 2172	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	82
PID 2180 wrote to memory of 2172	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	82
PID 2180 wrote to memory of 4788	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	83
PID 2180 wrote to memory of 4788	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	83
PID 2180 wrote to memory of 4788	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	83
PID 2180 wrote to memory of 4740	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	84
PID 2180 wrote to memory of 4740	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	84
PID 2180 wrote to memory of 4740	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	84
PID 2180 wrote to memory of 4652	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	85
PID 2180 wrote to memory of 4652	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	85
PID 2180 wrote to memory of 4652	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	85
PID 2180 wrote to memory of 1932	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	86
PID 2180 wrote to memory of 1932	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	86
PID 2180 wrote to memory of 1932	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	86
PID 2180 wrote to memory of 3400	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	87
PID 2180 wrote to memory of 3400	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	87
PID 2180 wrote to memory of 3400	2180	204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe	87
PID 916 wrote to memory of 4312	916	backup.exe	88
PID 916 wrote to memory of 4312	916	backup.exe	88
PID 916 wrote to memory of 4312	916	backup.exe	88
PID 4312 wrote to memory of 1800	4312	backup.exe	89
PID 4312 wrote to memory of 1800	4312	backup.exe	89
PID 4312 wrote to memory of 1800	4312	backup.exe	89
PID 4312 wrote to memory of 848	4312	backup.exe	90
PID 4312 wrote to memory of 848	4312	backup.exe	90
PID 4312 wrote to memory of 848	4312	backup.exe	90
PID 4312 wrote to memory of 5020	4312	backup.exe	91
PID 4312 wrote to memory of 5020	4312	backup.exe	91
PID 4312 wrote to memory of 5020	4312	backup.exe	91
PID 5020 wrote to memory of 4692	5020	backup.exe	92
PID 5020 wrote to memory of 4692	5020	backup.exe	92
PID 5020 wrote to memory of 4692	5020	backup.exe	92
PID 4692 wrote to memory of 320	4692	backup.exe	93
PID 4692 wrote to memory of 320	4692	backup.exe	93
PID 4692 wrote to memory of 320	4692	backup.exe	93
PID 5020 wrote to memory of 2128	5020	backup.exe	95
PID 5020 wrote to memory of 2128	5020	backup.exe	95
PID 5020 wrote to memory of 2128	5020	backup.exe	95
PID 4312 wrote to memory of 1004	4312	backup.exe	94
PID 4312 wrote to memory of 1004	4312	backup.exe	94
PID 4312 wrote to memory of 1004	4312	backup.exe	94
PID 1004 wrote to memory of 3492	1004	data.exe	96
PID 1004 wrote to memory of 3492	1004	data.exe	96
PID 1004 wrote to memory of 3492	1004	data.exe	96
PID 2128 wrote to memory of 4680	2128	backup.exe	97
PID 2128 wrote to memory of 4680	2128	backup.exe	97
PID 2128 wrote to memory of 4680	2128	backup.exe	97
PID 3492 wrote to memory of 2736	3492	backup.exe	98
PID 3492 wrote to memory of 2736	3492	backup.exe	98
PID 3492 wrote to memory of 2736	3492	backup.exe	98
PID 2128 wrote to memory of 3680	2128	backup.exe	99
PID 2128 wrote to memory of 3680	2128	backup.exe	99
PID 2128 wrote to memory of 3680	2128	backup.exe	99
PID 2736 wrote to memory of 5016	2736	backup.exe	100
PID 2736 wrote to memory of 5016	2736	backup.exe	100
PID 2736 wrote to memory of 5016	2736	backup.exe	100
PID 3680 wrote to memory of 4792	3680	backup.exe	101
PID 3680 wrote to memory of 4792	3680	backup.exe	101
PID 3680 wrote to memory of 4792	3680	backup.exe	101
PID 2736 wrote to memory of 4944	2736	backup.exe	102

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found

C:\Users\Admin\AppData\Local\Temp\204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe
"C:\Users\Admin\AppData\Local\Temp\204cf7c239a1e9d374cdc5b653d0e87b5b8a701f85ba382f6df474d0e03bf97f.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\2426247038\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2426247038\backup.exe C:\Users\Admin\AppData\Local\Temp\2426247038\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1800
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:848
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4680
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4792
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3508
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3744
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4236
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4564
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4716
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3476
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3952
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4656
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4264
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4492
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4932
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        System policy modification
        
        PID:2060
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:308
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:4568
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:4428
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:3848
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:2312
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1640
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:2604
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4940
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:3512
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:836
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:4688
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:456
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:2008
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:4192
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:3284
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:1852
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        System policy modification
        
        PID:3520
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:4644
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:2688
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:760
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:2656
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:228
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\data.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:2652
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:1088
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:4300
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:3996
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:5000
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:4704
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:5036
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4192
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:3868
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:2304
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:3552
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2264
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:840
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:3256
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:664
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:3924
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:3884
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4868
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:836
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:3900
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:3364
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:4564
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:548
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\update.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Drops file in Program Files directory
        
        PID:5016
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:3240
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3712
        
        C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\
        7⤵
        
        PID:2740
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3248
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2304
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1464
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2728
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1732
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2492
        
        C:\Program Files\Common Files\System\ado\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\update.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2112
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1640
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1576
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:4200
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4280
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:3304
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1956
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:4316
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3876
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:848
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4704
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4284
        
        C:\Program Files\Common Files\System\msadc\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\data.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3932
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1500
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:4552
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2132
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3748
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:4988
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\
        9⤵
        Drops file in Program Files directory
        
        PID:3644
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\
        10⤵
        
        PID:3976
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:216
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1868
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:4368
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2364
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:2336
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:4304
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:3792
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:5100
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:4780
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1868
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1084
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:3256
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:440
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1088
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:3796
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:2456
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:388
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4684
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1856
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:5052
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2668
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:4736
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:4548
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1764
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2184
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:216
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:620
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:4336
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:4700
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:4412
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3888
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:2688
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        System policy modification
        
        PID:5088
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:1132
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\update.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        System policy modification
        
        PID:776
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\update.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:5008
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:2112
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:3864
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        
        PID:2628
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        
        PID:3644
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        
        PID:3140
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        
        PID:3752
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        
        PID:868
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        
        PID:4628
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        
        PID:1800
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
        9⤵
        
        PID:4804
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\update.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\
        9⤵
        System policy modification
        
        PID:1904
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\
        9⤵
        
        PID:2244
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\
        10⤵
        
        PID:3028
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\
        9⤵
        
        PID:3876
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\
        9⤵
        
        PID:4216
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\data.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\
        9⤵
        
        PID:5080
        
        C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        System policy modification
        
        PID:2256
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        
        PID:4676
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
        9⤵
        
        PID:4732
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        
        PID:1080
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:2944
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
        9⤵
        
        PID:4016
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\
        9⤵
        
        PID:968
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        
        PID:1156
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        
        PID:1736
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        
        PID:2852
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        
        PID:1940
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        
        PID:2580
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        
        PID:1996
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        
        PID:1084
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:4364
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        
        PID:3416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
        10⤵
        System policy modification
        
        PID:4848
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
        11⤵
        
        PID:1628
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
        10⤵
        
        PID:4300
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
        11⤵
        
        PID:388
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:2816
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:2224
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
        10⤵
        
        PID:4756
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
        11⤵
        
        PID:3368
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        System policy modification
        
        PID:344
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:3552
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:3512
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
        10⤵
        
        PID:2764
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
        11⤵
        System policy modification
        
        PID:3896
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
        10⤵
        Drops file in Program Files directory
        
        PID:2328
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:216
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
        10⤵
        
        PID:3760
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
        11⤵
        
        PID:2680
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\
        10⤵
        
        PID:4284
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\
        11⤵
        
        PID:2784
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\
        10⤵
        
        PID:4756
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\
        11⤵
        
        PID:4712
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\
        10⤵
        
        PID:1248
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\
        11⤵
        
        PID:2632
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2836
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        
        PID:1460
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        11⤵
        
        PID:4604
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        12⤵
        Disables RegEdit via registry modification
        
        PID:2412
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        10⤵
        
        PID:2684
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
        11⤵
        
        PID:2120
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
        12⤵
        
        PID:3592
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\
        9⤵
        Drops file in Program Files directory
        
        PID:2244
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        10⤵
        
        PID:3212
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
        11⤵
        
        PID:5064
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
        11⤵
        
        PID:2036
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
        10⤵
        
        PID:1152
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
        11⤵
        
        PID:1860
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
        11⤵
        
        PID:3208
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
        11⤵
        
        PID:3840
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
        11⤵
        
        PID:4592
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
        10⤵
        
        PID:5032
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
        11⤵
        
        PID:776
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2836
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
        11⤵
        
        PID:3136
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
        12⤵
        
        PID:4688
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
        11⤵
        
        PID:3488
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\
        11⤵
        
        PID:1040
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\
        8⤵
        
        PID:1088
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\
        9⤵
        
        PID:3796
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5088
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\
        10⤵
        
        PID:5012
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\
        11⤵
        
        PID:404
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\
        11⤵
        
        PID:5044
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\
        10⤵
        
        PID:3244
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:5056
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\
        10⤵
        
        PID:1084
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\
        10⤵
        
        PID:4780
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\
        11⤵
        
        PID:2896
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\
        12⤵
        
        PID:1924
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\
        11⤵
        
        PID:2376
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\
        10⤵
        
        PID:4316
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\
        9⤵
        
        PID:4988
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\
        11⤵
        
        PID:1060
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\
        12⤵
        Disables RegEdit via registry modification
        
        PID:3976
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
        13⤵
        
        PID:4328
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\
        12⤵
        
        PID:2084
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
        13⤵
        
        PID:4264
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\
        11⤵
        
        PID:840
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\
        10⤵
        
        PID:4900
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\
        11⤵
        
        PID:2140
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\
        10⤵
        
        PID:5024
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\
        9⤵
        
        PID:3376
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1016
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\
        11⤵
        
        PID:2952
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\
        10⤵
        
        PID:832
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\
        11⤵
        
        PID:4700
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\
        10⤵
        
        PID:2184
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\
        11⤵
        
        PID:1996
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\
        10⤵
        
        PID:4304
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:740
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:1732
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:1460
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3396
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\System Restore.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\System Restore.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:2976
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:4868
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        
        PID:3508
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\update.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        
        PID:4900
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        
        PID:4568
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        
        PID:4880
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        
        PID:4012
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        
        PID:4932
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        
        PID:308
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        System policy modification
        
        PID:1272
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
        9⤵
        
        PID:440
        
        C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
        8⤵
        
        PID:4768
        
        C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\management\
        8⤵
        
        PID:2384
        
        C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\security\
        8⤵
        
        PID:4704
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:1060
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        System policy modification
        
        PID:3484
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        System policy modification
        
        PID:1736
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:1640
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:344
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\data.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:1016
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:3516
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:4792
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:4256
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:2976
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:2456
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:3512
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
        9⤵
        
        PID:4972
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:5056
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:3212
        
        C:\Program Files\Microsoft Office\root\loc\update.exe
        
        "C:\Program Files\Microsoft Office\root\loc\update.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:4412
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:4316
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        Drops file in Program Files directory
        
        PID:4416
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        
        PID:840
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        9⤵
        System policy modification
        
        PID:1156
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        
        PID:844
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        
        PID:4972
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:4280
        
        C:\Program Files\Microsoft Office\root\Office16\3082\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\data.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:936
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        Drops file in Program Files directory
        
        PID:1584
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        9⤵
        System policy modification
        
        PID:3284
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        9⤵
        System policy modification
        
        PID:3968
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        10⤵
        System policy modification
        
        PID:1904
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\update.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        9⤵
        
        PID:2112
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        9⤵
        
        PID:3836
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        10⤵
        
        PID:5012
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4436
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\data.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
        11⤵
        
        PID:964
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        9⤵
        
        PID:3472
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:4044
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        9⤵
        
        PID:3872
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        8⤵
        
        PID:748
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        9⤵
        
        PID:2664
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        9⤵
        
        PID:2868
        
        C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        9⤵
        
        PID:712
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        
        PID:4748
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        8⤵
        
        PID:3600
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:456
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
        10⤵
        
        PID:2604
        
        C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        8⤵
        
        PID:876
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3468
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
        8⤵
        
        PID:844
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f33\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f33\update.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\
        8⤵
        
        PID:3520
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        8⤵
        
        PID:3508
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f4\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f4\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2128
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\
        8⤵
        
        PID:2324
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:1996
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        Drops file in Windows directory
        
        PID:4856
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:3268
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        9⤵
        
        PID:4980
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:2184
        
        C:\Program Files\Microsoft Office\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        
        PID:1956
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4560
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\
        9⤵
        
        PID:1524
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\
        10⤵
        
        PID:4568
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
        11⤵
        
        PID:4448
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\update.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\update.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
        9⤵
        
        PID:4924
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        8⤵
        
        PID:2120
        
        C:\Program Files\Microsoft Office\root\vfs\Fonts\private\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
        9⤵
        
        PID:3892
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
        8⤵
        
        PID:4660
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
        9⤵
        Drops file in Program Files directory
        
        PID:1836
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\
        10⤵
        
        PID:2340
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
        10⤵
        
        PID:3424
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
        11⤵
        
        PID:3472
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\
        10⤵
        System policy modification
        
        PID:3664
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
        9⤵
        
        PID:4540
        
        C:\Program Files\Microsoft Office\root\vreg\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vreg\backup.exe" C:\Program Files\Microsoft Office\root\vreg\
        7⤵
        
        PID:4436
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:1732
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:3644
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:2044
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\
        9⤵
        
        PID:4448
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:4192
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:216
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\
        9⤵
        
        PID:3500
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:3376
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        System policy modification
        
        PID:3580
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:3792
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:3216
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:1856
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\data.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\data.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        System policy modification
        
        PID:2736
      - C:\Program Files\Mozilla Firefox\defaults\data.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\data.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:2320
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2112
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:4728
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\update.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\update.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:976
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\update.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\update.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:4564
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:872
    - - C:\Program Files\MSBuild\data.exe
        
        "C:\Program Files\MSBuild\data.exe" C:\Program Files\MSBuild\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4912
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:5076
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\data.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\data.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:1524
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:3868
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:2868
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:772
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        System policy modification
        
        PID:2452
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:1732
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:4912
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:4308
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:4084
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:4552
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:2816
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:3516
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:3824
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:840
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        Drops file in Windows directory
        
        PID:1876
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:3792
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:3268
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:3884
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:2120
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2384
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1864
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:5032
        
        C:\Program Files\VideoLAN\VLC\locale\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\data.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:2584
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:1788
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:2944
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:4720
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        9⤵
        
        PID:3284
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        8⤵
        
        PID:748
        
        C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4116
        
        C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        9⤵
        
        PID:2632
        
        C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        8⤵
        
        PID:4988
        
        C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        9⤵
        
        PID:772
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        8⤵
        
        PID:2516
        
        C:\Program Files\VideoLAN\VLC\lua\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\backup.exe" C:\Program Files\VideoLAN\VLC\lua\
        7⤵
        
        PID:4748
        
        C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe" C:\Program Files\VideoLAN\VLC\lua\extensions\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2608
    - - C:\Program Files\Windows Defender\data.exe
        
        "C:\Program Files\Windows Defender\data.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:4200
      - C:\Program Files\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
        6⤵
        
        PID:876
      - C:\Program Files\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files\Windows Defender\es-ES\backup.exe" C:\Program Files\Windows Defender\es-ES\
        6⤵
        
        PID:4552
      - C:\Program Files\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
        6⤵
        
        PID:1356
      - C:\Program Files\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files\Windows Defender\it-IT\backup.exe" C:\Program Files\Windows Defender\it-IT\
        6⤵
        
        PID:4748
      - C:\Program Files\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files\Windows Defender\ja-JP\backup.exe" C:\Program Files\Windows Defender\ja-JP\
        6⤵
        
        PID:2952
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        
        PID:872
    - - C:\Program Files\Windows Media Player\data.exe
        
        "C:\Program Files\Windows Media Player\data.exe" C:\Program Files\Windows Media Player\
        5⤵
        Drops file in Program Files directory
        
        PID:636
      - C:\Program Files\Windows Media Player\de-DE\backup.exe
        
        "C:\Program Files\Windows Media Player\de-DE\backup.exe" C:\Program Files\Windows Media Player\de-DE\
        6⤵
        
        PID:1016
  - - C:\Program Files (x86)\data.exe
      "C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:3760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:1088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        9⤵
        
        PID:2884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        10⤵
        
        PID:4708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:5016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:2784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        System policy modification
        
        PID:3084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:2832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:3252
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:3668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:3320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        Disables RegEdit via registry modification
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        
        PID:4368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        Disables RegEdit via registry modification
        
        PID:3044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        System policy modification
        
        PID:684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:544
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        
        PID:3992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        
        PID:936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:4012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:1932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        System policy modification
        
        PID:744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        14⤵
        
        PID:3368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:2668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        System policy modification
        
        PID:2944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        13⤵
        
        PID:2052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        12⤵
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        13⤵
        
        PID:848
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        14⤵
        
        PID:4116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        12⤵
        
        PID:2984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        13⤵
        
        PID:3304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        14⤵
        
        PID:884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        Drops file in Program Files directory
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        
        PID:388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        
        PID:4764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:2352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        15⤵
        
        PID:5068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        15⤵
        
        PID:840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        15⤵
        
        PID:3376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        15⤵
        
        PID:3580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        15⤵
        
        PID:260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        15⤵
        
        PID:4736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        15⤵
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        15⤵
        
        PID:2684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        15⤵
        
        PID:3284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        15⤵
        
        PID:2452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        15⤵
        
        PID:4492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        15⤵
        
        PID:3640
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\update.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\update.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        16⤵
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        15⤵
        
        PID:1428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
        15⤵
        
        PID:4804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
        15⤵
        
        PID:3480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
        15⤵
        
        PID:1156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\
        15⤵
        
        PID:4564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
        15⤵
        Disables RegEdit via registry modification
        
        PID:2892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\
        15⤵
        
        PID:5096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\
        15⤵
        
        PID:1016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\
        15⤵
        
        PID:2120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
        15⤵
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\
        15⤵
        
        PID:3904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
        15⤵
        
        PID:2212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\
        15⤵
        
        PID:1836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\
        15⤵
        
        PID:4512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\
        15⤵
        
        PID:2320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\
        15⤵
        
        PID:4440
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\
        15⤵
        
        PID:4280
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\
        15⤵
        
        PID:3424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\
        15⤵
        
        PID:5056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\
        15⤵
        System policy modification
        
        PID:4780
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\
        15⤵
        
        PID:620
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        13⤵
        
        PID:2108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        
        PID:1440
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
        12⤵
        
        PID:2916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        13⤵
        
        PID:2832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:3692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
        15⤵
        
        PID:4672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\
        15⤵
        
        PID:2384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\
        15⤵
        
        PID:4828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\
        15⤵
        
        PID:3976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\
        15⤵
        Disables RegEdit via registry modification
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\
        15⤵
        
        PID:4984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
        15⤵
        
        PID:3840
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\
        15⤵
        
        PID:4564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\
        15⤵
        System policy modification
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\
        15⤵
        System policy modification
        
        PID:3244
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\
        15⤵
        
        PID:2636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\
        15⤵
        Disables RegEdit via registry modification
        
        PID:760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\
        15⤵
        
        PID:4016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\
        15⤵
        
        PID:2680
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\
        15⤵
        System policy modification
        
        PID:4784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\
        15⤵
        
        PID:3496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\
        15⤵
        
        PID:2120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\
        15⤵
        
        PID:308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\
        15⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\
        15⤵
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\
        15⤵
        
        PID:2392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\
        15⤵
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\
        15⤵
        
        PID:3968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\
        15⤵
        System policy modification
        
        PID:4944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\
        15⤵
        
        PID:2220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\
        15⤵
        
        PID:2184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\
        15⤵
        Disables RegEdit via registry modification
        
        PID:3868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\
        15⤵
        
        PID:4560
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        12⤵
        Drops file in Program Files directory
        
        PID:5036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
        13⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
        14⤵
        Disables RegEdit via registry modification
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        13⤵
        Disables RegEdit via registry modification
        
        PID:3416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
        12⤵
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
        12⤵
        System policy modification
        
        PID:3444
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\
        13⤵
        
        PID:4908
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\
        14⤵
        
        PID:4040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        14⤵
        
        PID:920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
        14⤵
        
        PID:2256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\
        15⤵
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\
        16⤵
        
        PID:920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\
        16⤵
        
        PID:4936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\
        16⤵
        
        PID:664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\
        16⤵
        
        PID:4308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\
        16⤵
        
        PID:4992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\
        16⤵
        
        PID:2944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\
        16⤵
        
        PID:1448
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\
        16⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\
        16⤵
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\
        13⤵
        
        PID:3752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\
        14⤵
        
        PID:4980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\
        14⤵
        
        PID:4676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\
        15⤵
        
        PID:2608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\
        16⤵
        
        PID:4068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\
        14⤵
        System policy modification
        
        PID:2728
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\
        15⤵
        Drops file in Program Files directory
        
        PID:4008
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\
        16⤵
        
        PID:4904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\
        16⤵
        
        PID:4980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\
        16⤵
        
        PID:4712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\
        16⤵
        
        PID:3848
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\
        12⤵
        
        PID:4912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:4284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:4492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:4680
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:3472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:3792
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:4056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:3364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:3528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4860
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:4576
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2176
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2224
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:4276
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:4412
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:544
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:4008
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:772
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2680
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:4908
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:2784
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:2452
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:3952
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:364
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        Drops file in Program Files directory
        
        PID:4740
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:4700
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:3884
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:3240
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:4732
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:1132
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:4724
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:3980
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:3284
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:4736
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:3500
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4304
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\
        16⤵
        
        PID:4084
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\
        17⤵
        
        PID:2384
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\
        18⤵
        
        PID:4388
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\
        19⤵
        Disables RegEdit via registry modification
        
        PID:3664
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        20⤵
        
        PID:3680
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\data.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        21⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:760
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:4712
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:2836
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:4684
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:2516
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:4728
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:2312
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:3728
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3492
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:4288
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:4980
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:5056
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:4604
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:3000
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:4996
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:884
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3884
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:3640
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2608
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:3480
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:4068
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:4908
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:4272
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3924
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:5068
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:3888
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:2764
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:3872
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        
        PID:4272
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:3352
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:2684
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:2176
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:3704
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1932
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:1392
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:636
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:3416
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:4936
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:4848
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2616
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:4940
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\update.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\update.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4672
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:3352
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:4748
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:840
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:4828
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:5100
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:4448
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:4760
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:4340
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4020
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4732
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\data.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\data.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:3268
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3404
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4188
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:4404
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        Drops file in Program Files directory
        
        PID:3400
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:2304
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1788
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1864
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        System policy modification
        
        PID:2212
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1700
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2452
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:4320
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1428
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:4440
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1524
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1208
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:4572
        
        C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
        8⤵
        
        PID:4328
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:3996
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:3400
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:3256
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1716
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2916
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3680
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:2892
      - C:\Program Files (x86)\Internet Explorer\it-IT\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\update.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2548
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1728
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3136
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:260
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:4332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:4680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        Drops file in Program Files directory
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:2108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:3400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:5104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        System policy modification
        
        PID:3676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:3876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        9⤵
        
        PID:3600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        9⤵
        
        PID:3968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        9⤵
        
        PID:3028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        9⤵
        
        PID:1784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
        10⤵
        
        PID:920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        11⤵
        Drops file in Windows directory
        
        PID:976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        9⤵
        
        PID:4604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        10⤵
        Drops file in Windows directory
        
        PID:5024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
        10⤵
        
        PID:3996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\
        10⤵
        
        PID:1080
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\
        11⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3976
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\
        12⤵
        
        PID:2036
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\
        12⤵
        
        PID:3452
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\
        12⤵
        
        PID:1784
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\
        12⤵
        
        PID:3732
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f18ff42b17aa9990ee61ad0c4aea9b1c\
        12⤵
        
        PID:4204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\
        10⤵
        Disables RegEdit via registry modification
        
        PID:4880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\
        10⤵
        
        PID:3768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\
        11⤵
        
        PID:4920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\
        11⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\
        10⤵
        
        PID:1764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\
        10⤵
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\
        11⤵
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\
        12⤵
        
        PID:2604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
        9⤵
        
        PID:4412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
        9⤵
        
        PID:3424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\
        10⤵
        
        PID:976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\
        10⤵
        
        PID:2060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\
        9⤵
        
        PID:3792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\
        10⤵
        
        PID:3680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\
        9⤵
        
        PID:1392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:1120
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        
        PID:3252
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\
        7⤵
        
        PID:2616
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:4216
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        
        PID:4352
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\
        9⤵
        
        PID:2320
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        
        PID:4908
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{9B826622-81DE-4C73-98AC-77A3FAEBE059}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{9B826622-81DE-4C73-98AC-77A3FAEBE059}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{9B826622-81DE-4C73-98AC-77A3FAEBE059}\
        8⤵
        
        PID:1296
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:4308
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:3352
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2244
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:2816
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:3528
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:3248
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:832
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        
        PID:4924
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:3120
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        Drops file in Program Files directory
        
        PID:2364
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:4780
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:5076
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5068
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:740
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\update.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\update.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:1296
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:2728
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:3932
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:876
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\
        9⤵
        
        PID:4712
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:4632
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:2412
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:1500
    - - C:\Program Files (x86)\Windows Defender\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\backup.exe" C:\Program Files (x86)\Windows Defender\
        5⤵
        
        PID:2376
      - C:\Program Files (x86)\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\backup.exe" C:\Program Files (x86)\Windows Defender\de-DE\
        6⤵
        
        PID:1356
      - C:\Program Files (x86)\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\backup.exe" C:\Program Files (x86)\Windows Defender\es-ES\
        6⤵
        
        PID:4568
      - C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe" C:\Program Files (x86)\Windows Defender\fr-FR\
        6⤵
        
        PID:2128
      - C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe" C:\Program Files (x86)\Windows Defender\ja-JP\
        6⤵
        
        PID:3248
      - C:\Program Files (x86)\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\backup.exe" C:\Program Files (x86)\Windows Defender\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        System policy modification
        
        PID:4016
    - - C:\Program Files (x86)\Windows Media Player\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\backup.exe" C:\Program Files (x86)\Windows Media Player\
        5⤵
        
        PID:3876
      - C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe" C:\Program Files (x86)\Windows Media Player\de-DE\
        6⤵
        
        PID:3668
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:3404
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2120
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4236
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:5008
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:4440
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3304
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1644
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:5112
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:3000
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:4316
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2264
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        System policy modification
        
        PID:4236
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1016
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1464
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2140
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:4828
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2392
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:3644
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4328
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4708
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2684
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:2160
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1640
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:2328
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:3824
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4648
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:2616
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:32
      - C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
        6⤵
        
        PID:2368
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:5052
      - C:\Windows\apppatch\AppPatch64\update.exe
        
        C:\Windows\apppatch\AppPatch64\update.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        System policy modification
        
        PID:4492
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3640
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
      - C:\Windows\apppatch\CustomSDB\data.exe
        
        C:\Windows\apppatch\CustomSDB\data.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:2452
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:4920
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        System policy modification
        
        PID:1272
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:2752
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:4792
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:4272
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:1784
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:772
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:4376
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:5024
        
        C:\Windows\assembly\GAC\ADODB\data.exe
        
        C:\Windows\assembly\GAC\ADODB\data.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        System policy modification
        
        PID:3132
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:544
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:3840
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\update.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4656
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:976
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1580
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:2628
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4944
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:1120
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:2608
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:1460
        
        C:\Windows\assembly\GAC\stdole\data.exe
        
        C:\Windows\assembly\GAC\stdole\data.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:2852
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3468
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:884
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:3084
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3952
        
        C:\Windows\assembly\GAC_32\ISymWrapper\update.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\update.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        Drops file in Windows directory
        
        PID:4596
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1440
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:2060
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4368
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:3644
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:5104
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\System Restore.exe" C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:3640
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\
        7⤵
        
        PID:2752
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3876
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        System policy modification
        
        PID:4620
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\update.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\update.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4568
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        7⤵
        Drops file in Windows directory
        
        PID:4448
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:3756
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\
        7⤵
        
        PID:4692
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4644
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe C:\Windows\assembly\GAC_32\System.Data\
        7⤵
        Drops file in Windows directory
        
        PID:1428
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:1728
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\
        7⤵
        
        PID:3812
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:3208
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\
        7⤵
        
        PID:4276
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1724
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\
        7⤵
        System policy modification
        
        PID:1784
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:1860
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe C:\Windows\assembly\GAC_32\System.Printing\
        7⤵
        
        PID:3712
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe C:\Windows\assembly\GAC_32\System.Web\
        7⤵
        
        PID:1592
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:748
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3116
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:4996
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:3856
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4332
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:2212
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:440
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:1876
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4944
        
        C:\Windows\assembly\GAC_64\MSBuild\data.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\data.exe C:\Windows\assembly\GAC_64\MSBuild\
        7⤵
        
        PID:4760
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2516
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\data.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\data.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:4044
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe C:\Windows\assembly\GAC_64\mscorlib\
        7⤵
        
        PID:4900
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:4496
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\
        7⤵
        Drops file in Windows directory
        
        PID:2812
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        System policy modification
        
        PID:2224
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1444
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4280
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\
        7⤵
        
        PID:3824
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4972
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\
        7⤵
        Drops file in Windows directory
        
        PID:1856
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\
        8⤵
        
        PID:1524
        
        C:\Windows\Globalization\ELS\Transliteration\backup.exe
        
        C:\Windows\Globalization\ELS\Transliteration\backup.exe C:\Windows\Globalization\ELS\Transliteration\
        9⤵
        
        PID:1584
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\
        8⤵
        
        PID:3304
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\
        8⤵
        
        PID:3480
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\
        8⤵
        
        PID:2868
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\update.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\update.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
        7⤵
        
        PID:1996
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4576
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\
        7⤵
        
        PID:968
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2868
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\
        7⤵
        
        PID:344
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4724
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_32\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        Drops file in Windows directory
        
        PID:1080
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\
        7⤵
        System policy modification
        
        PID:5080
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\
        8⤵
        Drops file in Program Files directory
        
        PID:1060
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\
        7⤵
        
        PID:5088
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\
        8⤵
        System policy modification
        
        PID:4756
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:1932
    - - C:\Windows\bcastdvr\System Restore.exe
        
        "C:\Windows\bcastdvr\System Restore.exe" C:\Windows\bcastdvr\
        5⤵
        
        PID:4940
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:4856
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        
        PID:1576
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:2752
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:1728
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:216
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:1784
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:4656
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:3552
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:5044
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:3748
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        
        PID:4752
      - C:\Windows\Containers\serviced\data.exe
        
        C:\Windows\Containers\serviced\data.exe C:\Windows\Containers\serviced\
        6⤵
        
        PID:2108
    - - C:\Windows\debug\System Restore.exe
        
        "C:\Windows\debug\System Restore.exe" C:\Windows\debug\
        5⤵
        
        PID:1476
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:4804
    - - C:\Windows\DiagTrack\backup.exe
        
        C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\
        5⤵
        
        PID:936
      - C:\Windows\DiagTrack\Scenarios\backup.exe
        
        C:\Windows\DiagTrack\Scenarios\backup.exe C:\Windows\DiagTrack\Scenarios\
        6⤵
        
        PID:2320
      - C:\Windows\DiagTrack\Settings\backup.exe
        
        C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\
        6⤵
        
        PID:2548
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:1012
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:3488
      - C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        
        PID:1156
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:4288
      - C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\
        6⤵
        
        PID:1012
    - - C:\Windows\Fonts\backup.exe
        
        C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
        5⤵
        
        PID:944
    - - C:\Windows\fr-FR\backup.exe
        
        C:\Windows\fr-FR\backup.exe C:\Windows\fr-FR\
        5⤵
        
        PID:3268
    - - C:\Windows\es-ES\backup.exe
        
        C:\Windows\es-ES\backup.exe C:\Windows\es-ES\
        5⤵
        
        PID:4576
    - - C:\Windows\GameBarPresenceWriter\backup.exe
        
        C:\Windows\GameBarPresenceWriter\backup.exe C:\Windows\GameBarPresenceWriter\
        5⤵
        
        PID:772
    - - C:\Windows\Globalization\backup.exe
        
        C:\Windows\Globalization\backup.exe C:\Windows\Globalization\
        5⤵
        
        PID:836
      - C:\Windows\Globalization\ELS\backup.exe
        
        C:\Windows\Globalization\ELS\backup.exe C:\Windows\Globalization\ELS\
        6⤵
        Drops file in Windows directory
        
        PID:1524
      - C:\Windows\Globalization\ICU\backup.exe
        
        C:\Windows\Globalization\ICU\backup.exe C:\Windows\Globalization\ICU\
        6⤵
        
        PID:4724
      - C:\Windows\Globalization\Sorting\backup.exe
        
        C:\Windows\Globalization\Sorting\backup.exe C:\Windows\Globalization\Sorting\
        6⤵
        
        PID:2220
      - C:\Windows\Globalization\Time Zone\backup.exe
        
        "C:\Windows\Globalization\Time Zone\backup.exe" C:\Windows\Globalization\Time Zone\
        6⤵
        
        PID:684
    - - C:\Windows\Help\backup.exe
        
        C:\Windows\Help\backup.exe C:\Windows\Help\
        5⤵
        Drops file in Windows directory
        
        PID:1208
      - C:\Windows\Help\Corporate\backup.exe
        
        C:\Windows\Help\Corporate\backup.exe C:\Windows\Help\Corporate\
        6⤵
        
        PID:4760
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4652
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3400

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
1⤵
PID:3624

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
1⤵
PID:2864
- C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
  "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
  2⤵
  PID:2172

C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\update.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\update.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
1⤵
PID:3664

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
1⤵
PID:4860
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
  2⤵
  - Drops file in Program Files directory
  PID:2912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
    3⤵
    - System policy modification
    PID:2668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
    3⤵
    PID:308
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
    3⤵
    - System policy modification
    PID:4708
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
    3⤵
    PID:2108
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
    3⤵
    PID:3244
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\update.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\
    3⤵
    PID:4992
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
    3⤵
    PID:1712
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\System Restore.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\
    3⤵
    PID:3668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\
    3⤵
    - System policy modification
    PID:836
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\
    3⤵
    PID:4696
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\
    3⤵
    PID:4304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\
    3⤵
    PID:3548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\
    3⤵
    PID:4656
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\
    3⤵
    PID:4828
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
    3⤵
    PID:1764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
    3⤵
    PID:4336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\
    3⤵
    PID:308
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\
    3⤵
    PID:3664
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\
    3⤵
    PID:3248
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\
    3⤵
    - Disables RegEdit via registry modification
    PID:1856
  - - C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe
      C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\
      4⤵
      PID:3028
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\
    3⤵
    PID:4024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\System Restore.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\
    3⤵
    PID:4940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\
    3⤵
    PID:772
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\
    3⤵
    PID:4980
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\
    3⤵
    PID:4936
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\
    3⤵
    PID:1460
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\
    3⤵
    PID:4024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\update.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\
    3⤵
    PID:4764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\
    3⤵
    - System policy modification
    PID:2232
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\
    3⤵
    PID:3752
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\
    3⤵
    PID:4016
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\
    3⤵
    PID:4980
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\
    3⤵
    PID:3208
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\
    3⤵
    PID:2952

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
1⤵
PID:3212
- C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
  2⤵
  PID:3876
- - C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
    "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
    3⤵
    PID:3676
  - - C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
      "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
      4⤵
      PID:3752
  - - C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
      "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
      4⤵
      PID:4592
  - - C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
      "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
      4⤵
      PID:2324

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
1⤵
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4732

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\data.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\data.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
1⤵
PID:3980
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4656
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
  2⤵
  PID:1100

C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\
1⤵
PID:3864
- C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\System Restore.exe
  "C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\
  2⤵
  PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
6ed55db6fd116e6c83a1e0eb2ec3b0e2

SHA1
dfb7dd98043a1282c23fffa3e5e77f379b787b9e

SHA256
cefca6a442159a2ff6ad09709fcfeca66f978995473064394db69f2054385e20

SHA512
71b02c1ae59621063ec2266854dd9e510a8746f543d6d7b1049ab0213113227ff3a3da519c1e18a50860bc076a2561e296657bb1aefb799e36e1990b90c466bc

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
6ed55db6fd116e6c83a1e0eb2ec3b0e2

SHA1
dfb7dd98043a1282c23fffa3e5e77f379b787b9e

SHA256
cefca6a442159a2ff6ad09709fcfeca66f978995473064394db69f2054385e20

SHA512
71b02c1ae59621063ec2266854dd9e510a8746f543d6d7b1049ab0213113227ff3a3da519c1e18a50860bc076a2561e296657bb1aefb799e36e1990b90c466bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
835481a243223cf7164c6fb9b00a90e9

SHA1
0c126d2423bb139e8d1c3faf784e71d52ff77c43

SHA256
def3f949eb76a00c1149ff7bf6c7e3fb7476365778693f5ea0f80cb049aa95b4

SHA512
9d2066a34440c25a6e7a15f1b771023003c98108274cbed053afae711ba69e561af30168c24b32167577e964e31c4523b3d0966259f9784a241aba82e91bd5ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
835481a243223cf7164c6fb9b00a90e9

SHA1
0c126d2423bb139e8d1c3faf784e71d52ff77c43

SHA256
def3f949eb76a00c1149ff7bf6c7e3fb7476365778693f5ea0f80cb049aa95b4

SHA512
9d2066a34440c25a6e7a15f1b771023003c98108274cbed053afae711ba69e561af30168c24b32167577e964e31c4523b3d0966259f9784a241aba82e91bd5ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe

Filesize
72KB

MD5
3c07b4d73811e2035d6c7afb7b3c6a47

SHA1
918349abc6c570f63466909095437a2f2e6e9cee

SHA256
f29fd6e923c257856204841a5a44b6acfc145c464b1822011a8247787a4297c2

SHA512
d75047aac5e1ae98d0e4276d372780c47a8e662b79f36734e185d0db6cf810c79b55bb77f0d637ffaca3a65dc434f48101a57385fd6cddf7226d3cf33ae9fca6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe

Filesize
72KB

MD5
3c07b4d73811e2035d6c7afb7b3c6a47

SHA1
918349abc6c570f63466909095437a2f2e6e9cee

SHA256
f29fd6e923c257856204841a5a44b6acfc145c464b1822011a8247787a4297c2

SHA512
d75047aac5e1ae98d0e4276d372780c47a8e662b79f36734e185d0db6cf810c79b55bb77f0d637ffaca3a65dc434f48101a57385fd6cddf7226d3cf33ae9fca6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
72KB

MD5
afde6d75247c09c72405bd9e41f4bdf2

SHA1
d25ac530d8ba3643aa6e8d5e35107263b437b5c5

SHA256
f82f21767f133b16c57d20d1f8cf0f80247f264100ad23e327563305a58d5b68

SHA512
4ed5ba4aca98459728b6dc37368092a611533ce3a749a7b3c21747a1ec98570b22452d1e000c7e7bb36a7a4d6a320f5a9d336e91cb2795aaa8ddcc0c13dfa122

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe

Filesize
72KB

MD5
afde6d75247c09c72405bd9e41f4bdf2

SHA1
d25ac530d8ba3643aa6e8d5e35107263b437b5c5

SHA256
f82f21767f133b16c57d20d1f8cf0f80247f264100ad23e327563305a58d5b68

SHA512
4ed5ba4aca98459728b6dc37368092a611533ce3a749a7b3c21747a1ec98570b22452d1e000c7e7bb36a7a4d6a320f5a9d336e91cb2795aaa8ddcc0c13dfa122

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe

Filesize
72KB

MD5
03dd17f631fc1f4173bc0df5705b88db

SHA1
01e0c28348bf2d76791a71c52f68ca8fd25a628d

SHA256
42a2636c6fc9f5b4d0d358a19e26ed802ae1f91d8dfa60e1053dc903c3281da4

SHA512
e31311718a2de0b8b75ff1d49eadf84138ab55e7c489ef70462fefc132bc57708ef1bf979de8ca64a6d212bb357205fdff07615b6551b34e89b54ef3befdc400

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe

Filesize
72KB

MD5
03dd17f631fc1f4173bc0df5705b88db

SHA1
01e0c28348bf2d76791a71c52f68ca8fd25a628d

SHA256
42a2636c6fc9f5b4d0d358a19e26ed802ae1f91d8dfa60e1053dc903c3281da4

SHA512
e31311718a2de0b8b75ff1d49eadf84138ab55e7c489ef70462fefc132bc57708ef1bf979de8ca64a6d212bb357205fdff07615b6551b34e89b54ef3befdc400

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe

Filesize
72KB

MD5
53b1b7283feb548fb4731fdd1505fe75

SHA1
7cbd84793551e6abb83a0ffdc960858a696f9a97

SHA256
5d364f60bafde349cf52e83b8b96b726dca7178278d10bb7094b3a77600b4f27

SHA512
6ae2f9633ff04cc620afe30feaff58a141147841dd412f32dfcd804af6c442473619875c80f04739e0aa745dbb506f453e12c16da2576fd7f00b1409a9c57b98

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe

Filesize
72KB

MD5
53b1b7283feb548fb4731fdd1505fe75

SHA1
7cbd84793551e6abb83a0ffdc960858a696f9a97

SHA256
5d364f60bafde349cf52e83b8b96b726dca7178278d10bb7094b3a77600b4f27

SHA512
6ae2f9633ff04cc620afe30feaff58a141147841dd412f32dfcd804af6c442473619875c80f04739e0aa745dbb506f453e12c16da2576fd7f00b1409a9c57b98

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
72KB

MD5
835481a243223cf7164c6fb9b00a90e9

SHA1
0c126d2423bb139e8d1c3faf784e71d52ff77c43

SHA256
def3f949eb76a00c1149ff7bf6c7e3fb7476365778693f5ea0f80cb049aa95b4

SHA512
9d2066a34440c25a6e7a15f1b771023003c98108274cbed053afae711ba69e561af30168c24b32167577e964e31c4523b3d0966259f9784a241aba82e91bd5ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe

Filesize
72KB

MD5
835481a243223cf7164c6fb9b00a90e9

SHA1
0c126d2423bb139e8d1c3faf784e71d52ff77c43

SHA256
def3f949eb76a00c1149ff7bf6c7e3fb7476365778693f5ea0f80cb049aa95b4

SHA512
9d2066a34440c25a6e7a15f1b771023003c98108274cbed053afae711ba69e561af30168c24b32167577e964e31c4523b3d0966259f9784a241aba82e91bd5ff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
302d558bd654d8111b9f53ac97e7a553

SHA1
8a2de6ce07c38b9f747ab9ceb98c9a68c6a2280f

SHA256
13bfad82848855cf9882ac30cc71814c88ee2969fb2dc716eec2b3be6e2857b9

SHA512
95ac5b67d4dc0018f50eedad23adc14e0c32cd2ab8531ac08fa3a2f91fe2a727f26a00965512850c1c61e2d7886402674fcc025435e2c7ae56bae6d0c6234c08

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
302d558bd654d8111b9f53ac97e7a553

SHA1
8a2de6ce07c38b9f747ab9ceb98c9a68c6a2280f

SHA256
13bfad82848855cf9882ac30cc71814c88ee2969fb2dc716eec2b3be6e2857b9

SHA512
95ac5b67d4dc0018f50eedad23adc14e0c32cd2ab8531ac08fa3a2f91fe2a727f26a00965512850c1c61e2d7886402674fcc025435e2c7ae56bae6d0c6234c08

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
4328c86847ecebed1f72ab40510c4f1f

SHA1
b9de734df9a45ac13d3e403c8cc36f5cc9dd8591

SHA256
e5b913579bdc9fee86a78e05a1a276405af99c0d16a67d3b5e064efc2bc273d2

SHA512
755d660c4e0bcf32d83d14097f98d4ebf6ae046a4797d3a3d3b17ada6833277120188fc2f1690d4cb374825e29be4436c6445b1643980f8125de5587b42a5274

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
4328c86847ecebed1f72ab40510c4f1f

SHA1
b9de734df9a45ac13d3e403c8cc36f5cc9dd8591

SHA256
e5b913579bdc9fee86a78e05a1a276405af99c0d16a67d3b5e064efc2bc273d2

SHA512
755d660c4e0bcf32d83d14097f98d4ebf6ae046a4797d3a3d3b17ada6833277120188fc2f1690d4cb374825e29be4436c6445b1643980f8125de5587b42a5274

Download Submit
C:\Program Files (x86)\data.exe

Filesize
72KB

MD5
1d1720d81fb4a5f668f46cefdd45ca36

SHA1
1d218f118b047c3bbfc72182d105090b19c0ae34

SHA256
68ae8af9eb253713d383ae14878e5241fbac1b57cb8cc59dacbf034e5fb30e55

SHA512
6a5a6514022fc3e3861f30151765d547f12b156f839c07d5e9af6827eb778b6103630b34a0388c68f0817b4534476dc585bb724bad93b9a5a2329c5dc1dfcacd

Download Submit
C:\Program Files (x86)\data.exe

Filesize
72KB

MD5
1d1720d81fb4a5f668f46cefdd45ca36

SHA1
1d218f118b047c3bbfc72182d105090b19c0ae34

SHA256
68ae8af9eb253713d383ae14878e5241fbac1b57cb8cc59dacbf034e5fb30e55

SHA512
6a5a6514022fc3e3861f30151765d547f12b156f839c07d5e9af6827eb778b6103630b34a0388c68f0817b4534476dc585bb724bad93b9a5a2329c5dc1dfcacd

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
742f3650126d8eceeec68ca74035e42b

SHA1
2f72844827e28ba8021cff29da7a04f1cfb0868e

SHA256
ecb2c1c1829f73d93c64075cf9cb9664a26b5dd7c91cdd49430aa7ec424ba6eb

SHA512
605f809d7646e79302a77f826ccc057fd3ee969e6c6cce6f4827b0198164f41198f81b293052ac6777c30377ff7e251ce6954decc6b7cb619057f9c6a7eee880

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
742f3650126d8eceeec68ca74035e42b

SHA1
2f72844827e28ba8021cff29da7a04f1cfb0868e

SHA256
ecb2c1c1829f73d93c64075cf9cb9664a26b5dd7c91cdd49430aa7ec424ba6eb

SHA512
605f809d7646e79302a77f826ccc057fd3ee969e6c6cce6f4827b0198164f41198f81b293052ac6777c30377ff7e251ce6954decc6b7cb619057f9c6a7eee880

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7a8d82ab979376cd475a09992097baf0

SHA1
b340f6f1e4c03062f3cbc442aa6df33bb927a86a

SHA256
e7fa2bdd58d7c5e328b2e6e840596f811de4f09ef45ef997b3d6fc241b25df44

SHA512
cd0fdd17c2714d975c5e157e7f21794c7a6fb73c5e1a6de6d1323c5dcea8f60a11bd719317616100a33211278209afef3cd3c0d86da4fc945f2b759fe191cc6e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7a8d82ab979376cd475a09992097baf0

SHA1
b340f6f1e4c03062f3cbc442aa6df33bb927a86a

SHA256
e7fa2bdd58d7c5e328b2e6e840596f811de4f09ef45ef997b3d6fc241b25df44

SHA512
cd0fdd17c2714d975c5e157e7f21794c7a6fb73c5e1a6de6d1323c5dcea8f60a11bd719317616100a33211278209afef3cd3c0d86da4fc945f2b759fe191cc6e

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
9ad000f24092cb57c894156667a3b25e

SHA1
d0a1b2d4ae5c26675ff778967e64a10a389aaa60

SHA256
6a61364fdcf449f9c7ddf5fe6552bca190688cf27cac0ceb755b449579413bdb

SHA512
2cacbf9551f4c94bf2394387e565caf82473e5b1e838bdcb0c82be1e8390ec753c44521b2915d206698cc2012b046f23d63fdfb3bdc510b13145f9b48a99b5a5

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
9ad000f24092cb57c894156667a3b25e

SHA1
d0a1b2d4ae5c26675ff778967e64a10a389aaa60

SHA256
6a61364fdcf449f9c7ddf5fe6552bca190688cf27cac0ceb755b449579413bdb

SHA512
2cacbf9551f4c94bf2394387e565caf82473e5b1e838bdcb0c82be1e8390ec753c44521b2915d206698cc2012b046f23d63fdfb3bdc510b13145f9b48a99b5a5

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d8d663a4351a81d5ac29de0a46676625

SHA1
a2455f6bd072fe4b6ec534f4d205579def86d216

SHA256
ede3c1daf2e9a5ffbaafb960af0e5d952326be016d8c714000ced8901e60daa4

SHA512
ba0ae37eb1b40d9a283688eaa3839d33e79838493549bf12db392ad53376cd0502a36269d37a6c8dc5a863964cc22496def8dd636c5f98616e11be3647ddaa80

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
d8d663a4351a81d5ac29de0a46676625

SHA1
a2455f6bd072fe4b6ec534f4d205579def86d216

SHA256
ede3c1daf2e9a5ffbaafb960af0e5d952326be016d8c714000ced8901e60daa4

SHA512
ba0ae37eb1b40d9a283688eaa3839d33e79838493549bf12db392ad53376cd0502a36269d37a6c8dc5a863964cc22496def8dd636c5f98616e11be3647ddaa80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
6da6f3b09a8baf8a5f229568af8c6018

SHA1
c055cd289bfe272ce859eff91096faa779af42f0

SHA256
0dae16cb03871dcd63ac3ebeb4b9201741d4cc7bc6771d1f2237d8921d00c6a3

SHA512
6baaabec7da583b5bc61d32bcfbcb27a192cf5f01e9f0852d95a53238b4b934861f03ff955284e603da6506f9e0ee040766b506c457566d8a5d35d90f6866ad7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
6da6f3b09a8baf8a5f229568af8c6018

SHA1
c055cd289bfe272ce859eff91096faa779af42f0

SHA256
0dae16cb03871dcd63ac3ebeb4b9201741d4cc7bc6771d1f2237d8921d00c6a3

SHA512
6baaabec7da583b5bc61d32bcfbcb27a192cf5f01e9f0852d95a53238b4b934861f03ff955284e603da6506f9e0ee040766b506c457566d8a5d35d90f6866ad7

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
158a81f7b311e607708a75ccde3b1fc3

SHA1
b8e02ca4ea1498fda9dd67058ddd03873bd3d8fe

SHA256
081613e1ef25f82582ab779632150814a55c713b4fb761dc121089fac657670d

SHA512
9418535de79fa935c7773d4160feff4b8347c765e64ce2f396fd390d11627aac697180ded8349e2b3e4a6a54fb661d3431665b31546d4dcddbb3f2c1765b1345

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
158a81f7b311e607708a75ccde3b1fc3

SHA1
b8e02ca4ea1498fda9dd67058ddd03873bd3d8fe

SHA256
081613e1ef25f82582ab779632150814a55c713b4fb761dc121089fac657670d

SHA512
9418535de79fa935c7773d4160feff4b8347c765e64ce2f396fd390d11627aac697180ded8349e2b3e4a6a54fb661d3431665b31546d4dcddbb3f2c1765b1345

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c433535f6152880053c285be7ddaa417

SHA1
3f1034bc69e8531b7664d3cbae0151502d8d9fc4

SHA256
0b4ff0168e2f8474adc0345aa7f156444324e30d81bb6b732373d128402e66cc

SHA512
00e80b3ec7f5f1f30e8ba43ace51ecf768e5c39032aa0f302d550ed436b8e9147473a5d5282112c7cfd7cdaa8c7d51800f7a5be70984bc64311dc8058afd0ba3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c433535f6152880053c285be7ddaa417

SHA1
3f1034bc69e8531b7664d3cbae0151502d8d9fc4

SHA256
0b4ff0168e2f8474adc0345aa7f156444324e30d81bb6b732373d128402e66cc

SHA512
00e80b3ec7f5f1f30e8ba43ace51ecf768e5c39032aa0f302d550ed436b8e9147473a5d5282112c7cfd7cdaa8c7d51800f7a5be70984bc64311dc8058afd0ba3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
6da6f3b09a8baf8a5f229568af8c6018

SHA1
c055cd289bfe272ce859eff91096faa779af42f0

SHA256
0dae16cb03871dcd63ac3ebeb4b9201741d4cc7bc6771d1f2237d8921d00c6a3

SHA512
6baaabec7da583b5bc61d32bcfbcb27a192cf5f01e9f0852d95a53238b4b934861f03ff955284e603da6506f9e0ee040766b506c457566d8a5d35d90f6866ad7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
6da6f3b09a8baf8a5f229568af8c6018

SHA1
c055cd289bfe272ce859eff91096faa779af42f0

SHA256
0dae16cb03871dcd63ac3ebeb4b9201741d4cc7bc6771d1f2237d8921d00c6a3

SHA512
6baaabec7da583b5bc61d32bcfbcb27a192cf5f01e9f0852d95a53238b4b934861f03ff955284e603da6506f9e0ee040766b506c457566d8a5d35d90f6866ad7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d9cbb0fbbe1c09797846ce8b45af1649

SHA1
0662984e3010454612a010456dea682070af6952

SHA256
6351db6425b59666f7d7345e6f602cb6fdeaea3c47f246e6e73f6daf9d16924c

SHA512
7d00d42deba03e7f02cad40ee54cf698fc8c3b807020e36665c45de7044d9993f297f03e2e9d590b84a2338e251c7d2104f95e0302d2b9c02d7868573015a08d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
d9cbb0fbbe1c09797846ce8b45af1649

SHA1
0662984e3010454612a010456dea682070af6952

SHA256
6351db6425b59666f7d7345e6f602cb6fdeaea3c47f246e6e73f6daf9d16924c

SHA512
7d00d42deba03e7f02cad40ee54cf698fc8c3b807020e36665c45de7044d9993f297f03e2e9d590b84a2338e251c7d2104f95e0302d2b9c02d7868573015a08d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
d9cbb0fbbe1c09797846ce8b45af1649

SHA1
0662984e3010454612a010456dea682070af6952

SHA256
6351db6425b59666f7d7345e6f602cb6fdeaea3c47f246e6e73f6daf9d16924c

SHA512
7d00d42deba03e7f02cad40ee54cf698fc8c3b807020e36665c45de7044d9993f297f03e2e9d590b84a2338e251c7d2104f95e0302d2b9c02d7868573015a08d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
d9cbb0fbbe1c09797846ce8b45af1649

SHA1
0662984e3010454612a010456dea682070af6952

SHA256
6351db6425b59666f7d7345e6f602cb6fdeaea3c47f246e6e73f6daf9d16924c

SHA512
7d00d42deba03e7f02cad40ee54cf698fc8c3b807020e36665c45de7044d9993f297f03e2e9d590b84a2338e251c7d2104f95e0302d2b9c02d7868573015a08d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
a956c19decb8dbfcb9275f1264e9f68d

SHA1
42e4a3f4b058cc5465cc872ebf48b67b5a2d318e

SHA256
7881e7945ef7a2689b642e39a52bf307de5f5ce4a5f7b079ad6044ea2bf8156e

SHA512
bf8c01e29845e60ac1baab99108cfaae1ccd91cb876a9a22ad33463f5dff0992f47f65ce66c6a8f58482b9d451ae50da3c151c0dc53fa9b937c5e99fbaa60ebc

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
a956c19decb8dbfcb9275f1264e9f68d

SHA1
42e4a3f4b058cc5465cc872ebf48b67b5a2d318e

SHA256
7881e7945ef7a2689b642e39a52bf307de5f5ce4a5f7b079ad6044ea2bf8156e

SHA512
bf8c01e29845e60ac1baab99108cfaae1ccd91cb876a9a22ad33463f5dff0992f47f65ce66c6a8f58482b9d451ae50da3c151c0dc53fa9b937c5e99fbaa60ebc

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
a956c19decb8dbfcb9275f1264e9f68d

SHA1
42e4a3f4b058cc5465cc872ebf48b67b5a2d318e

SHA256
7881e7945ef7a2689b642e39a52bf307de5f5ce4a5f7b079ad6044ea2bf8156e

SHA512
bf8c01e29845e60ac1baab99108cfaae1ccd91cb876a9a22ad33463f5dff0992f47f65ce66c6a8f58482b9d451ae50da3c151c0dc53fa9b937c5e99fbaa60ebc

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
a956c19decb8dbfcb9275f1264e9f68d

SHA1
42e4a3f4b058cc5465cc872ebf48b67b5a2d318e

SHA256
7881e7945ef7a2689b642e39a52bf307de5f5ce4a5f7b079ad6044ea2bf8156e

SHA512
bf8c01e29845e60ac1baab99108cfaae1ccd91cb876a9a22ad33463f5dff0992f47f65ce66c6a8f58482b9d451ae50da3c151c0dc53fa9b937c5e99fbaa60ebc

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
cb3ad4a098424ffdcdb1baac92a11f44

SHA1
7f1b3afee01de3a703feb333dc4397a458e4611c

SHA256
90321b66cd64766541f9acefe63f79cf4cf621d14fc1cfb2ca0d28969eb976cc

SHA512
aa2a80a83535a1450781eaac3d87e25e6bfdc6e5194a0f96c49226c9e9278b15838e747423a36aa0aab0bba95a5a0eefe591a682bf3e37ced91878e27fc062a4

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
cb3ad4a098424ffdcdb1baac92a11f44

SHA1
7f1b3afee01de3a703feb333dc4397a458e4611c

SHA256
90321b66cd64766541f9acefe63f79cf4cf621d14fc1cfb2ca0d28969eb976cc

SHA512
aa2a80a83535a1450781eaac3d87e25e6bfdc6e5194a0f96c49226c9e9278b15838e747423a36aa0aab0bba95a5a0eefe591a682bf3e37ced91878e27fc062a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2426247038\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\2426247038\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
b503ee3536ac9715c3f74c146e5e9216

SHA1
22de2a103fed97aae4409627d3a0ee64ed2a91ba

SHA256
23e49fae7461097467b33d514bf9f2a9dda7a81a4406b9d87b9b8e6c1f7bef61

SHA512
553f58b7fca970b09472977c4c7432c45814f09f6eddde1d77c901c770f32397a3b528614e31d41c6964a064df2b26b8bca172d12a8adb06b47627de425d1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
7a24dc1375165cfbd088f3135ed9a52b

SHA1
76a6052ddc34ba798e5bb9b3a7213a5e450d38ef

SHA256
1349fc20bc876d81d212f1c847f11782f9831b646f30883c9f29f0a42b117531

SHA512
faa7474c84525de79080e586a5a351f339d800bd9a327022bb33b7696d0455ce5ef33011a58df9c2d84112b6ff899b9ff65255c96f1bc7f314ff93c4eef1de78

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
7a24dc1375165cfbd088f3135ed9a52b

SHA1
76a6052ddc34ba798e5bb9b3a7213a5e450d38ef

SHA256
1349fc20bc876d81d212f1c847f11782f9831b646f30883c9f29f0a42b117531

SHA512
faa7474c84525de79080e586a5a351f339d800bd9a327022bb33b7696d0455ce5ef33011a58df9c2d84112b6ff899b9ff65255c96f1bc7f314ff93c4eef1de78

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a385a309cd4b35f00f2042a3087b4d68

SHA1
40348d47f5e9025508e2a6aff035b372105ab067

SHA256
2a0c6b16b1df880ba6b177f4b6530ea8e397f569ce96f5e38e62a694496f24b9

SHA512
9d21e68dbf4805a5583587497c92d3400be94c72a1f71c3fbdd94f5ef42b9b0cb1d733d33384a9622e6c3caccdce6cb3975cf8b2b4c9dcc9e61f78098ebf1e58

Download Submit
C:\backup.exe

Filesize
72KB

MD5
a385a309cd4b35f00f2042a3087b4d68

SHA1
40348d47f5e9025508e2a6aff035b372105ab067

SHA256
2a0c6b16b1df880ba6b177f4b6530ea8e397f569ce96f5e38e62a694496f24b9

SHA512
9d21e68dbf4805a5583587497c92d3400be94c72a1f71c3fbdd94f5ef42b9b0cb1d733d33384a9622e6c3caccdce6cb3975cf8b2b4c9dcc9e61f78098ebf1e58

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
6ed55db6fd116e6c83a1e0eb2ec3b0e2

SHA1
dfb7dd98043a1282c23fffa3e5e77f379b787b9e

SHA256
cefca6a442159a2ff6ad09709fcfeca66f978995473064394db69f2054385e20

SHA512
71b02c1ae59621063ec2266854dd9e510a8746f543d6d7b1049ab0213113227ff3a3da519c1e18a50860bc076a2561e296657bb1aefb799e36e1990b90c466bc

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
6ed55db6fd116e6c83a1e0eb2ec3b0e2

SHA1
dfb7dd98043a1282c23fffa3e5e77f379b787b9e

SHA256
cefca6a442159a2ff6ad09709fcfeca66f978995473064394db69f2054385e20

SHA512
71b02c1ae59621063ec2266854dd9e510a8746f543d6d7b1049ab0213113227ff3a3da519c1e18a50860bc076a2561e296657bb1aefb799e36e1990b90c466bc

Download Submit
memory/320-194-0x0000000000000000-mapping.dmp

Download
memory/624-244-0x0000000000000000-mapping.dmp

Download
memory/684-364-0x0000000000000000-mapping.dmp

Download
memory/744-381-0x0000000000000000-mapping.dmp

Download
memory/812-351-0x0000000000000000-mapping.dmp

Download
memory/848-179-0x0000000000000000-mapping.dmp

Download
memory/916-134-0x0000000000000000-mapping.dmp

Download
memory/1004-200-0x0000000000000000-mapping.dmp

Download
memory/1140-252-0x0000000000000000-mapping.dmp

Download
memory/1460-249-0x0000000000000000-mapping.dmp

Download
memory/1788-346-0x0000000000000000-mapping.dmp

Download
memory/1800-174-0x0000000000000000-mapping.dmp

Download
memory/1836-369-0x0000000000000000-mapping.dmp

Download
memory/1932-159-0x0000000000000000-mapping.dmp

Download
memory/2056-313-0x0000000000000000-mapping.dmp

Download
memory/2088-375-0x0000000000000000-mapping.dmp

Download
memory/2128-199-0x0000000000000000-mapping.dmp

Download
memory/2172-139-0x0000000000000000-mapping.dmp

Download
memory/2224-279-0x0000000000000000-mapping.dmp

Download
memory/2452-286-0x0000000000000000-mapping.dmp

Download
memory/2496-387-0x0000000000000000-mapping.dmp

Download
memory/2604-262-0x0000000000000000-mapping.dmp

Download
memory/2628-284-0x0000000000000000-mapping.dmp

Download
memory/2736-219-0x0000000000000000-mapping.dmp

Download
memory/2912-328-0x0000000000000000-mapping.dmp

Download
memory/2924-300-0x0000000000000000-mapping.dmp

Download
memory/2984-363-0x0000000000000000-mapping.dmp

Download
memory/3400-164-0x0000000000000000-mapping.dmp

Download
memory/3476-312-0x0000000000000000-mapping.dmp

Download
memory/3492-209-0x0000000000000000-mapping.dmp

Download
memory/3508-259-0x0000000000000000-mapping.dmp

Download
memory/3680-222-0x0000000000000000-mapping.dmp

Download
memory/3744-269-0x0000000000000000-mapping.dmp

Download
memory/3792-294-0x0000000000000000-mapping.dmp

Download
memory/3952-324-0x0000000000000000-mapping.dmp

Download
memory/3976-270-0x0000000000000000-mapping.dmp

Download
memory/4020-321-0x0000000000000000-mapping.dmp

Download
memory/4236-295-0x0000000000000000-mapping.dmp

Download
memory/4264-345-0x0000000000000000-mapping.dmp

Download
memory/4280-339-0x0000000000000000-mapping.dmp

Download
memory/4312-169-0x0000000000000000-mapping.dmp

Download
memory/4488-357-0x0000000000000000-mapping.dmp

Download
memory/4492-358-0x0000000000000000-mapping.dmp

Download
memory/4564-301-0x0000000000000000-mapping.dmp

Download
memory/4652-154-0x0000000000000000-mapping.dmp

Download
memory/4656-334-0x0000000000000000-mapping.dmp

Download
memory/4664-340-0x0000000000000000-mapping.dmp

Download
memory/4680-211-0x0000000000000000-mapping.dmp

Download
memory/4684-333-0x0000000000000000-mapping.dmp

Download
memory/4692-189-0x0000000000000000-mapping.dmp

Download
memory/4716-307-0x0000000000000000-mapping.dmp

Download
memory/4728-352-0x0000000000000000-mapping.dmp

Download
memory/4740-149-0x0000000000000000-mapping.dmp

Download
memory/4780-327-0x0000000000000000-mapping.dmp

Download
memory/4788-144-0x0000000000000000-mapping.dmp

Download
memory/4792-234-0x0000000000000000-mapping.dmp

Download
memory/4932-382-0x0000000000000000-mapping.dmp

Download
memory/4936-376-0x0000000000000000-mapping.dmp

Download
memory/4944-239-0x0000000000000000-mapping.dmp

Download
memory/4988-370-0x0000000000000000-mapping.dmp

Download
memory/5016-229-0x0000000000000000-mapping.dmp

Download
memory/5020-184-0x0000000000000000-mapping.dmp

Download
memory/5024-318-0x0000000000000000-mapping.dmp

Download
memory/5100-306-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads