5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a

Analysis

max time kernel
195s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe
Size

72KB
MD5

1733514be43ef150ccf7761da9fc39c5
SHA1

59296f333f41dcc4435b5362ca924b47f946ecc0
SHA256

5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a
SHA512

210681ac4c4a50387100fc1ab413e8ba52b0a8aa3f1544f572b647981a76246d1b6dd7896ab94acb38afae56e4449520b1cc806469d1853173e4af6429ed2fe4
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRrCy+:teThavEjDWguKCb

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exeupdate.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
4288	backup.exe
4788	backup.exe
32	backup.exe
2368	backup.exe
5020	backup.exe
4028	backup.exe
3880	backup.exe
3676	backup.exe
312	backup.exe
4588	backup.exe
3012	backup.exe
5108	backup.exe
5096	update.exe
564	backup.exe
3468	backup.exe
4796	backup.exe
4664	update.exe
4240	backup.exe
1988	data.exe
2808	backup.exe
4116	backup.exe
460	backup.exe
3484	backup.exe
4376	backup.exe
1096	backup.exe
3976	backup.exe
1176	backup.exe
4440	backup.exe
4828	backup.exe
4384	backup.exe
4832	backup.exe
4768	backup.exe
1112	backup.exe
2036	backup.exe
3504	backup.exe
768	backup.exe
4748	backup.exe
4672	backup.exe
4068	backup.exe
5056	backup.exe
3988	backup.exe
3700	backup.exe
2484	backup.exe
444	backup.exe
2696	backup.exe
3652	backup.exe
4368	backup.exe
2284	backup.exe
2960	backup.exe
1180	backup.exe
4772	backup.exe
4292	backup.exe
1416	backup.exe
4200	backup.exe
4120	backup.exe
920	backup.exe
3172	System Restore.exe
2624	backup.exe
548	backup.exe
1560	backup.exe
1516	backup.exe
2428	backup.exe
3464	backup.exe
2176	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe

Drops file in Windows directory 26 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeSystem Restore.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\System Restore.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe

pid process

2476 5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exeupdate.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe
4288	backup.exe
4788	backup.exe
32	backup.exe
2368	backup.exe
5020	backup.exe
4028	backup.exe
3880	backup.exe
3676	backup.exe
312	backup.exe
4588	backup.exe
3012	backup.exe
5108	backup.exe
5096	update.exe
564	backup.exe
3468	backup.exe
4796	backup.exe
4664	update.exe
4240	backup.exe
1988	data.exe
4116	backup.exe
2808	backup.exe
460	backup.exe
1096	backup.exe
4376	backup.exe
3976	backup.exe
3484	backup.exe
1176	backup.exe
1112	backup.exe
4828	backup.exe
4384	backup.exe
4440	backup.exe
4768	backup.exe
4832	backup.exe
2036	backup.exe
3504	backup.exe
768	backup.exe
4748	backup.exe
4672	backup.exe
3988	backup.exe
5056	backup.exe
2484	backup.exe
3700	backup.exe
4068	backup.exe
444	backup.exe
2696	backup.exe
3652	backup.exe
4368	backup.exe
2284	backup.exe
2960	backup.exe
1180	backup.exe
4292	backup.exe
1416	backup.exe
4772	backup.exe
4200	backup.exe
4120	backup.exe
920	backup.exe
3172	System Restore.exe
2624	backup.exe
1516	backup.exe
1560	backup.exe
548	backup.exe
2428	backup.exe
1744	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 2476 wrote to memory of 4288	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4288	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4288	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4788	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4788	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4788	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 32	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 32	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 32	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 2368	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 2368	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 2368	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 5020	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 5020	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 5020	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4028	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4028	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 4028	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 3880	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 3880	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 2476 wrote to memory of 3880	2476	5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe	backup.exe
PID 4288 wrote to memory of 3676	4288	backup.exe	backup.exe
PID 4288 wrote to memory of 3676	4288	backup.exe	backup.exe
PID 4288 wrote to memory of 3676	4288	backup.exe	backup.exe
PID 3676 wrote to memory of 312	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 312	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 312	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 4588	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 4588	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 4588	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 3012	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 3012	3676	backup.exe	backup.exe
PID 3676 wrote to memory of 3012	3676	backup.exe	backup.exe
PID 3012 wrote to memory of 5108	3012	backup.exe	backup.exe
PID 3012 wrote to memory of 5108	3012	backup.exe	backup.exe
PID 3012 wrote to memory of 5108	3012	backup.exe	backup.exe
PID 5108 wrote to memory of 5096	5108	backup.exe	update.exe
PID 5108 wrote to memory of 5096	5108	backup.exe	update.exe
PID 5108 wrote to memory of 5096	5108	backup.exe	update.exe
PID 3012 wrote to memory of 564	3012	backup.exe	backup.exe
PID 3012 wrote to memory of 564	3012	backup.exe	backup.exe
PID 3012 wrote to memory of 564	3012	backup.exe	backup.exe
PID 564 wrote to memory of 3468	564	backup.exe	backup.exe
PID 564 wrote to memory of 3468	564	backup.exe	backup.exe
PID 564 wrote to memory of 3468	564	backup.exe	backup.exe
PID 564 wrote to memory of 4796	564	backup.exe	backup.exe
PID 564 wrote to memory of 4796	564	backup.exe	backup.exe
PID 564 wrote to memory of 4796	564	backup.exe	backup.exe
PID 4796 wrote to memory of 4664	4796	backup.exe	update.exe
PID 4796 wrote to memory of 4664	4796	backup.exe	update.exe
PID 4796 wrote to memory of 4664	4796	backup.exe	update.exe
PID 4796 wrote to memory of 4240	4796	backup.exe	backup.exe
PID 4796 wrote to memory of 4240	4796	backup.exe	backup.exe
PID 4796 wrote to memory of 4240	4796	backup.exe	backup.exe
PID 3012 wrote to memory of 2808	3012	backup.exe	backup.exe
PID 3012 wrote to memory of 2808	3012	backup.exe	backup.exe
PID 3012 wrote to memory of 2808	3012	backup.exe	backup.exe
PID 3676 wrote to memory of 1988	3676	backup.exe	data.exe
PID 3676 wrote to memory of 1988	3676	backup.exe	data.exe
PID 3676 wrote to memory of 1988	3676	backup.exe	data.exe
PID 564 wrote to memory of 460	564	backup.exe	backup.exe
PID 564 wrote to memory of 460	564	backup.exe	backup.exe
PID 564 wrote to memory of 460	564	backup.exe	backup.exe
PID 4240 wrote to memory of 4116	4240	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exedata.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe
"C:\Users\Admin\AppData\Local\Temp\5cd89922592e7dbb5adcced2ddb14684c4ff603dd7fd321916085f66a117ad1a.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\1366931039\backup.exe
C:\Users\Admin\AppData\Local\Temp\1366931039\backup.exe C:\Users\Admin\AppData\Local\Temp\1366931039\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676

C:\odt\backup.exe
C:\odt\backup.exe C:\odt\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:312

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5108

C:\Program Files\7-Zip\Lang\update.exe
"C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:564

C:\Program Files\Common Files\DESIGNER\backup.exe
"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Program Files\Common Files\microsoft shared\backup.exe
"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796

C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe
"C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Program Files\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4116

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3976

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:768

C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:444

C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4772

C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
8⤵
PID:4048

C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
8⤵
- System policy modification
PID:564

C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3952

C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
8⤵
- System policy modification
PID:4864

C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
8⤵
PID:3664

C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
8⤵
- System policy modification
PID:2548

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:556

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2408

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
9⤵
PID:4140

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
9⤵
PID:4712

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
9⤵
- System policy modification
PID:2584

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
9⤵
PID:904

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
9⤵
PID:1616

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
9⤵
PID:2124

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
9⤵
- System policy modification
PID:2700

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
9⤵
- Modifies visibility of file extensions in Explorer
PID:3916

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
9⤵
PID:2492

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
9⤵
PID:1776

C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
8⤵
PID:2240

C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
8⤵
PID:448

C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
8⤵
PID:4924

C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
PID:5080

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
8⤵
- System policy modification
PID:4788

C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:3716

C:\Program Files\Common Files\microsoft shared\ink\ko-KR\data.exe
"C:\Program Files\Common Files\microsoft shared\ink\ko-KR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
8⤵
PID:3512

C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
8⤵
PID:1348

C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
8⤵
PID:1520

C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
8⤵
PID:2588

C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
8⤵
PID:1592

C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4072

C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1544

C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
8⤵
PID:3996

C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
8⤵
- System policy modification
PID:4016

C:\Program Files\Common Files\microsoft shared\ink\ru-RU\data.exe
"C:\Program Files\Common Files\microsoft shared\ink\ru-RU\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4700

C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
8⤵
- System policy modification
PID:4072

C:\Program Files\Common Files\microsoft shared\ink\sl-SI\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\sl-SI\update.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
8⤵
PID:4520

C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
8⤵
- System policy modification
PID:2880

C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
8⤵
PID:4884

C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
8⤵
PID:4124

C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
8⤵
PID:3700

C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
8⤵
PID:2204

C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
8⤵
- Executes dropped EXE
PID:3464

C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
8⤵
PID:3380

C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
8⤵
PID:4892

C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
"C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
7⤵
- Modifies visibility of file extensions in Explorer
PID:5112

C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
"C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
8⤵
PID:5088

C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
- Modifies visibility of file extensions in Explorer
PID:3668

C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
7⤵
PID:1808

C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
"C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
7⤵
PID:4064

C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
"C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
7⤵
PID:3476

C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2112

C:\Program Files\Common Files\microsoft shared\Triedit\data.exe
"C:\Program Files\Common Files\microsoft shared\Triedit\data.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:384

C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
8⤵
- System policy modification
PID:1388

C:\Program Files\Common Files\microsoft shared\VC\backup.exe
"C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
7⤵
PID:4504

C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
7⤵
PID:5016

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
8⤵
PID:4360

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
9⤵
PID:1772

C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
"C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
7⤵
- System policy modification
PID:556

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:460

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:920

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
- Executes dropped EXE
PID:2176

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- System policy modification
PID:4776

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
- System policy modification
PID:2720

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
PID:396

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:4016

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:1652

C:\Program Files\Common Files\System\fr-FR\backup.exe
"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4372

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:4540

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
PID:3880

C:\Program Files\Common Files\System\Ole DB\backup.exe
"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
- System policy modification
PID:5032

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
PID:4852

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:1720

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:4764

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
PID:1120

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
- System policy modification
PID:1416

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
PID:4020

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
PID:4992

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2808

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1516

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
PID:2376

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
- System policy modification
PID:1488

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
PID:1800

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
PID:32

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
PID:1592

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\data.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
- System policy modification
PID:2476

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
10⤵
PID:400

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
11⤵
- Modifies visibility of file extensions in Explorer
PID:816

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:3108

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
- System policy modification
PID:3540

C:\Program Files\Internet Explorer\it-IT\update.exe
"C:\Program Files\Internet Explorer\it-IT\update.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:372

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
PID:3500

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:1864

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1788

C:\Program Files\Java\jdk1.8.0_66\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
6⤵
- Drops file in Program Files directory
PID:2236

C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
7⤵
PID:4296

C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
7⤵
PID:4108

C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
8⤵
PID:1992

C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
8⤵
PID:3432

C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
7⤵
PID:3124

C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
8⤵
PID:1568

C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
7⤵
PID:2544

C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
8⤵
- Drops file in Program Files directory
PID:2116

C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
9⤵
- Modifies visibility of file extensions in Explorer
PID:5020

C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
9⤵
- Modifies visibility of file extensions in Explorer
PID:4660

C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
9⤵
PID:1664

C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
9⤵
- Drops file in Program Files directory
PID:4796

C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
9⤵
- Modifies visibility of file extensions in Explorer
PID:4772

C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\data.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\data.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\
9⤵
PID:5020

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\
9⤵
PID:1568

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\
10⤵
PID:4016

C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\
9⤵
PID:5108

C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\
9⤵
PID:4828

C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\
9⤵
PID:4868

C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
8⤵
- Drops file in Program Files directory
PID:3692

C:\Program Files\Java\jdk1.8.0_66\lib\update.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
7⤵
- System policy modification
PID:3952

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2400

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
9⤵
PID:3028

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
10⤵
- Modifies visibility of file extensions in Explorer
PID:8

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
10⤵
- Modifies visibility of file extensions in Explorer
PID:64

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
9⤵
PID:5080

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\
9⤵
PID:372

C:\Program Files\Java\jre1.8.0_66\backup.exe
"C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
6⤵
PID:1892

C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
7⤵
PID:4304

C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
8⤵
PID:1308

C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
8⤵
PID:2216

C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
8⤵
PID:1348

C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
7⤵
PID:3600

C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
8⤵
PID:4468

C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
8⤵
- System policy modification
PID:3400

C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
8⤵
- Drops file in Program Files directory
PID:4992

C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
9⤵
PID:2320

C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
8⤵
PID:3312

C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\management\
8⤵
PID:3108

C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\security\
8⤵
PID:2484

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:4848

C:\Program Files\Microsoft Office\Office16\backup.exe
"C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
6⤵
- System policy modification
PID:5072

C:\Program Files\Microsoft Office\PackageManifests\backup.exe
"C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
6⤵
PID:4040

C:\Program Files\Microsoft Office\root\update.exe
"C:\Program Files\Microsoft Office\root\update.exe" C:\Program Files\Microsoft Office\root\
6⤵
PID:3152

C:\Program Files\Microsoft Office\root\fre\backup.exe
"C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
7⤵
PID:1924

C:\Program Files\Microsoft Office\root\Integration\backup.exe
"C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
7⤵
- System policy modification
PID:3668

C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
"C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
8⤵
PID:4912

C:\Program Files\Microsoft Office\root\Licenses\System Restore.exe
"C:\Program Files\Microsoft Office\root\Licenses\System Restore.exe" C:\Program Files\Microsoft Office\root\Licenses\
7⤵
PID:1948

C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
"C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
7⤵
- Modifies visibility of file extensions in Explorer
PID:3776

C:\Program Files\Microsoft Office\root\loc\backup.exe
"C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
7⤵
- System policy modification
PID:1444

C:\Program Files\Microsoft Office\root\Office15\backup.exe
"C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
7⤵
PID:2032

C:\Program Files\Microsoft Office\root\Office16\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
7⤵
- Drops file in Program Files directory
PID:2028

C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
8⤵
PID:2368

C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
9⤵
PID:1316

C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
9⤵
PID:3276

C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4768

C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
8⤵
- System policy modification
PID:4964

C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
8⤵
PID:3956

C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4740

C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System Restore.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
9⤵
PID:4144

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
9⤵
- Modifies visibility of file extensions in Explorer
PID:4640

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System Restore.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System Restore.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
10⤵
- Modifies visibility of file extensions in Explorer
PID:980

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
9⤵
PID:2152

C:\Program Files\Microsoft Office\root\rsod\backup.exe
"C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
7⤵
PID:4348

C:\Program Files\Microsoft Office\root\Templates\backup.exe
"C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
7⤵
- Drops file in Program Files directory
PID:3848

C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
"C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
8⤵
PID:4892

C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
"C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
9⤵
- Modifies visibility of file extensions in Explorer
PID:3476

C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
"C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
8⤵
PID:4548

C:\Program Files\Microsoft Office\root\vfs\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
7⤵
PID:1168

C:\Program Files\Microsoft Office\Updates\backup.exe
"C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
6⤵
PID:3464

C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
7⤵
PID:3648

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
8⤵
PID:688

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\4705ECFD-ABBD-4089-8453-56EA3EB6E985\
9⤵
- System policy modification
PID:3700

C:\Program Files\Microsoft Office\Updates\Download\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1948

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
8⤵
PID:4748

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\System Restore.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\
9⤵
PID:4092

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\
10⤵
PID:4712

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\vfs\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\vfs\
11⤵
- Modifies visibility of file extensions in Explorer
PID:2220

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\vfs\Windows\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\4705ECFD-ABBD-4089-8453-56EA3EB6E985\root\vfs\Windows\
12⤵
PID:816

C:\Program Files\Microsoft Office 15\backup.exe
"C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
5⤵
PID:3700

C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
"C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
6⤵
PID:556

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
- Drops file in Program Files directory
PID:1584

C:\Program Files\Mozilla Firefox\uninstall\backup.exe
"C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
6⤵
PID:216

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:2172

C:\Program Files\MSBuild\Microsoft\backup.exe
"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
6⤵
PID:1884

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
7⤵
PID:3128

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
8⤵
PID:1552

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
8⤵
- System policy modification
PID:3476

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
PID:1584

C:\Program Files\Reference Assemblies\Microsoft\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
6⤵
- System policy modification
PID:4544

C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4624

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
8⤵
- Drops file in Program Files directory
PID:1492

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
9⤵
PID:3900

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
9⤵
PID:688

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
9⤵
PID:1348

C:\Program Files\VideoLAN\backup.exe
"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
5⤵
- Modifies visibility of file extensions in Explorer
PID:4156

C:\Program Files\VideoLAN\VLC\backup.exe
"C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
6⤵
PID:4232

C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
7⤵
- System policy modification
PID:4312

C:\Program Files\VideoLAN\VLC\locale\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
7⤵
- Drops file in Program Files directory
PID:2320

C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
8⤵
PID:4016

C:\Program Files (x86)\data.exe
"C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
9⤵
PID:548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
8⤵
PID:2888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
8⤵
PID:1096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
8⤵
PID:3488

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
8⤵
PID:312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
9⤵
PID:1328

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
8⤵
PID:3916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
9⤵
PID:2024

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
8⤵
PID:3612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
8⤵
PID:3448

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
9⤵
PID:1740

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
8⤵
PID:816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
9⤵
- System policy modification
PID:2012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
8⤵
- System policy modification
PID:2872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\update.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
9⤵
PID:4112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
10⤵
PID:8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
9⤵
PID:1532

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
8⤵
PID:2128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
9⤵
PID:4452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
8⤵
- System policy modification
PID:3016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
8⤵
- System policy modification
PID:1096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
8⤵
- Drops file in Program Files directory
PID:1688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
9⤵
PID:2428

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
10⤵
PID:3128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
11⤵
PID:1396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
12⤵
PID:3496

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
7⤵
- System policy modification
PID:4988

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
8⤵
PID:5020

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
9⤵
PID:3116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
8⤵
PID:2172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
8⤵
PID:3064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
9⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:4276

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
10⤵
PID:3312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
PID:4520

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
PID:4916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:1180

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
10⤵
PID:1060

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
8⤵
PID:4072

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
7⤵
PID:1892

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
8⤵
PID:3996

C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
7⤵
- Drops file in Program Files directory
PID:3496

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
8⤵
PID:684

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
9⤵
PID:1304

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
10⤵
PID:3856

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
10⤵
- Drops file in Program Files directory
PID:4688

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:548

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
11⤵
PID:1968

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
12⤵
PID:3164

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
13⤵
PID:1556

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
14⤵
PID:1560

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
14⤵
- System policy modification
PID:4100

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
14⤵
PID:2384

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
13⤵
- Drops file in Program Files directory
PID:4052

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
14⤵
PID:768

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
14⤵
PID:2880

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
14⤵
PID:1492

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
13⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2428

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
14⤵
PID:4540

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
14⤵
PID:1536

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
14⤵
PID:4520

C:\Program Files (x86)\Common Files\Java\backup.exe
"C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
6⤵
- Modifies visibility of file extensions in Explorer
PID:4916

C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
7⤵
PID:928

C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
6⤵
- Drops file in Program Files directory
PID:4864

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System Restore.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
7⤵
PID:4980

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
7⤵
- Drops file in Program Files directory
PID:952

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\data.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
8⤵
PID:400

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
8⤵
PID:2476

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
8⤵
PID:3700

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
PID:3996

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
PID:2208

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
8⤵
PID:2868

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
PID:5116

C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
7⤵
- System policy modification
PID:4308

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
7⤵
PID:3964

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
8⤵
PID:2640

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
7⤵
PID:4740

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
PID:3192

C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
7⤵
PID:2220

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\System Restore.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
7⤵
- System policy modification
PID:4424

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:1616

C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:1280

C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
PID:3328

C:\Program Files (x86)\Common Files\Microsoft Shared\VC\update.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VC\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
7⤵
PID:2720

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
7⤵
PID:4340

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:64

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
PID:3272

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:4056

C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
8⤵
PID:3292

C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
8⤵
PID:2476

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
8⤵
PID:4232

C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
8⤵
PID:4688

C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
8⤵
PID:4360

C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
8⤵
PID:4624

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
7⤵
PID:3900

C:\Program Files (x86)\Common Files\System\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
7⤵
PID:3996

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
7⤵
PID:640

C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
7⤵
PID:1516

C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
7⤵
PID:4388

C:\Program Files (x86)\Common Files\System\msadc\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
7⤵
PID:2112

C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
8⤵
PID:4424

C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
7⤵
PID:2504

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
- Drops file in Program Files directory
PID:1732

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
- Modifies visibility of file extensions in Explorer
PID:4284

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
PID:4052

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:1536

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
- Drops file in Program Files directory
PID:1816

C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
7⤵
PID:1708

C:\Program Files (x86)\Google\Update\Install\backup.exe
"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2052

C:\Program Files (x86)\Google\Update\Install\{91D30917-5DF7-45E3-A370-5691129BC8A2}\backup.exe
"C:\Program Files (x86)\Google\Update\Install\{91D30917-5DF7-45E3-A370-5691129BC8A2}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{91D30917-5DF7-45E3-A370-5691129BC8A2}\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1032

C:\Program Files (x86)\Google\Update\Download\backup.exe
"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4348

C:\Program Files (x86)\Google\Update\Offline\update.exe
"C:\Program Files (x86)\Google\Update\Offline\update.exe" C:\Program Files (x86)\Google\Update\Offline\
7⤵
PID:1800

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:4020

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
PID:3464

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:4244

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
6⤵
PID:4872

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
6⤵
PID:3916

C:\Program Files (x86)\Internet Explorer\images\backup.exe
"C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
6⤵
PID:2360

C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
6⤵
PID:4964

C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
6⤵
PID:2376

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2204

C:\Program Files (x86)\Microsoft\backup.exe
"C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
5⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
7⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
8⤵
- Drops file in Program Files directory
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
9⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
9⤵
- Drops file in Program Files directory
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
10⤵
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
10⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
9⤵
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
9⤵
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
9⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
9⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
9⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
9⤵
PID:364

C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
8⤵
PID:64

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
6⤵
- Drops file in Program Files directory
PID:4860

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.169.31\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.169.31\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.169.31\
7⤵
PID:4160

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
7⤵
PID:3064

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
8⤵
- Modifies visibility of file extensions in Explorer
PID:5100

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.169.31\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.169.31\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.169.31\
9⤵
PID:3548

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
7⤵
PID:1112

C:\Program Files (x86)\Microsoft\Temp\backup.exe
"C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
6⤵
PID:5048

C:\Program Files (x86)\Microsoft.NET\backup.exe
"C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
5⤵
- Drops file in Program Files directory
PID:3116

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
6⤵
PID:4400

C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
6⤵
PID:4244

C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
5⤵
PID:2204

C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
6⤵
PID:3856

C:\Program Files (x86)\MSBuild\backup.exe
"C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
5⤵
PID:4212

C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2128

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:3796

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
8⤵
PID:3668

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
8⤵
PID:852

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Users\Admin\3D Objects\backup.exe
"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:2240

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:4284

C:\Users\Admin\Favorites\System Restore.exe
"C:\Users\Admin\Favorites\System Restore.exe" C:\Users\Admin\Favorites\
6⤵
PID:4396

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:4884

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2180

C:\Users\Admin\OneDrive\backup.exe
C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
6⤵
PID:2208

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:1060

C:\Users\Admin\Pictures\Camera Roll\backup.exe
"C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
7⤵
PID:4504

C:\Users\Admin\Pictures\Saved Pictures\backup.exe
"C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
7⤵
PID:3512

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
PID:3404

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:3692

C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
7⤵
PID:4032

C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
7⤵
PID:2736

C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4292

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
PID:4964

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:4212

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:212

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
- Modifies visibility of file extensions in Explorer
PID:4432

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
- System policy modification
PID:4776

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
PID:444

C:\Users\Public\Downloads\data.exe
C:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\
6⤵
- System policy modification
PID:2212

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Drops file in Windows directory
PID:4560

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
- System policy modification
PID:3964

C:\Windows\appcompat\backup.exe
C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
5⤵
- Drops file in Windows directory
PID:4816

C:\Windows\appcompat\encapsulation\update.exe
C:\Windows\appcompat\encapsulation\update.exe C:\Windows\appcompat\encapsulation\
6⤵
PID:3008

C:\Windows\appcompat\Programs\backup.exe
C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
6⤵
PID:2240

C:\Windows\appcompat\appraiser\System Restore.exe
"C:\Windows\appcompat\appraiser\System Restore.exe" C:\Windows\appcompat\appraiser\
6⤵
- Drops file in Windows directory
PID:2616

C:\Windows\apppatch\backup.exe
C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
5⤵
- Drops file in Windows directory
PID:3880

C:\Windows\apppatch\AppPatch64\backup.exe
C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
6⤵
PID:4664

C:\Windows\apppatch\Custom\backup.exe
C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
6⤵
- Drops file in Windows directory
PID:852

C:\Windows\apppatch\Custom\Custom64\backup.exe
C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
7⤵
PID:2384

C:\Windows\apppatch\CustomSDB\backup.exe
C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
6⤵
- System policy modification
PID:4748

C:\Windows\apppatch\de-DE\backup.exe
C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
6⤵
PID:1392

C:\Windows\apppatch\en-US\backup.exe
C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
6⤵
- System policy modification
PID:4108

C:\Windows\apppatch\es-ES\backup.exe
C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
6⤵
PID:1804

C:\Windows\apppatch\fr-FR\backup.exe
C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
6⤵
PID:3848

C:\Windows\apppatch\it-IT\backup.exe
C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
6⤵
- Drops file in Program Files directory
PID:3064

C:\Windows\apppatch\ja-JP\backup.exe
C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
6⤵
PID:1152

C:\Windows\AppReadiness\data.exe
C:\Windows\AppReadiness\data.exe C:\Windows\AppReadiness\
5⤵
PID:2168

C:\Windows\assembly\System Restore.exe
"C:\Windows\assembly\System Restore.exe" C:\Windows\assembly\
5⤵
- Drops file in Windows directory
PID:1924

C:\Windows\assembly\GAC\backup.exe
C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
6⤵
- Drops file in Windows directory
PID:3632

C:\Windows\assembly\GAC\ADODB\backup.exe
C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
7⤵
- Drops file in Windows directory
PID:2208

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:1664

C:\Windows\assembly\GAC\Extensibility\backup.exe
C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
7⤵
- Drops file in Windows directory
PID:4908

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:1892

C:\Windows\bcastdvr\backup.exe
C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
5⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:32

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Windows\appcompat\appraiser\Telemetry\backup.exe
C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
1⤵
- Modifies visibility of file extensions in Explorer
PID:3516

C:\Program Files\Microsoft Office\root\Client\backup.exe
"C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
1⤵
PID:2168

C:\Program Files\Mozilla Firefox\browser\backup.exe
"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
1⤵
- Drops file in Program Files directory
PID:4616

C:\Program Files\Mozilla Firefox\browser\features\backup.exe
"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
2⤵
PID:3964

C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
"C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
2⤵
PID:4852

C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
1⤵
PID:3676

C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
1⤵
PID:3400

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
2⤵
PID:1824

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
2⤵
PID:4648

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
2⤵
PID:4772

C:\Program Files\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
1⤵
PID:3132

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
1⤵
PID:872

C:\Program Files\Mozilla Firefox\defaults\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
1⤵
PID:1544

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
2⤵
PID:3500

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
1⤵
PID:3584

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
2⤵
PID:3580

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
1⤵
PID:3016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
2⤵
PID:3764

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
1⤵
PID:1112

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{4AEAC516-6472-40AF-A028-47D0AF4A6918}\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{4AEAC516-6472-40AF-A028-47D0AF4A6918}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{4AEAC516-6472-40AF-A028-47D0AF4A6918}\
2⤵
PID:1120

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
1⤵
PID:1720

C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
1⤵
PID:3952

C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
1⤵
- Modifies visibility of file extensions in Explorer
PID:4244

C:\Program Files\Mozilla Firefox\fonts\backup.exe
"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
1⤵
PID:4564

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
1⤵
PID:3556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\update.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
2⤵
PID:4436

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
3⤵
PID:5056

C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
1⤵
PID:4396

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
1⤵
PID:3008

C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
1⤵
- Drops file in Program Files directory
PID:3640

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
2⤵
PID:2492

C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
1⤵
PID:1316

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
1⤵
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe
Filesize
72KB

MD5
f9cd9ec4a59ce43dfbb974390a62cc5b

SHA1
952a5cbb0d8870ca3cfca89b82814b8fd646b17d

SHA256
5f19f81041e0fde6470618be7e53f3ec77842e83b689ec1dbe66394a085578e1

SHA512
a05f735eea42902adace20c03fede35fc0da7ec480a9819af41d7fe2e1fd6b334fff27929b6a7b7cc2d60716246990e803a96f51722fe674d04d1e6de673aae8

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
f9cd9ec4a59ce43dfbb974390a62cc5b

SHA1
952a5cbb0d8870ca3cfca89b82814b8fd646b17d

SHA256
5f19f81041e0fde6470618be7e53f3ec77842e83b689ec1dbe66394a085578e1

SHA512
a05f735eea42902adace20c03fede35fc0da7ec480a9819af41d7fe2e1fd6b334fff27929b6a7b7cc2d60716246990e803a96f51722fe674d04d1e6de673aae8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
Filesize
72KB

MD5
174192893ef44ecf73ea775d3e5c2e15

SHA1
4c438bbb5f42f3c70b0d5c37b224c80be882691c

SHA256
9acec7666ffb362afc6e02d2a52941ef1cd18665dcc0282e1cf27d2b9ed9489c

SHA512
420f6a038acff8b9a2879c8fbe87758bd8130350c7c3da1a6f585f46c9f21c822f212123bd7b0f39279c96e0f65eecf313defe3d715b37bc1015e365fcce14c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
Filesize
72KB

MD5
174192893ef44ecf73ea775d3e5c2e15

SHA1
4c438bbb5f42f3c70b0d5c37b224c80be882691c

SHA256
9acec7666ffb362afc6e02d2a52941ef1cd18665dcc0282e1cf27d2b9ed9489c

SHA512
420f6a038acff8b9a2879c8fbe87758bd8130350c7c3da1a6f585f46c9f21c822f212123bd7b0f39279c96e0f65eecf313defe3d715b37bc1015e365fcce14c6

Download Submit
C:\Program Files (x86)\Adobe\backup.exe
Filesize
72KB

MD5
19e3688f2ede9afc60140744cb5e1420

SHA1
236a040365995750872abb305bfb40b47fd1b43c

SHA256
147b4e81f8b4241ce4caecaad73975290c076f123086c14e91d9bc53883995f8

SHA512
0b2e0710189117c4b81fb6df57a82681dd3b31531989c37efd36f3d5163a5e8a5b9bdfb65e6afd365cc11de1fa2060f42a310c6de051e04a8a9b1d7efd8e640c

Download Submit
C:\Program Files (x86)\Adobe\backup.exe
Filesize
72KB

MD5
19e3688f2ede9afc60140744cb5e1420

SHA1
236a040365995750872abb305bfb40b47fd1b43c

SHA256
147b4e81f8b4241ce4caecaad73975290c076f123086c14e91d9bc53883995f8

SHA512
0b2e0710189117c4b81fb6df57a82681dd3b31531989c37efd36f3d5163a5e8a5b9bdfb65e6afd365cc11de1fa2060f42a310c6de051e04a8a9b1d7efd8e640c

Download Submit
C:\Program Files (x86)\data.exe
Filesize
72KB

MD5
04690084d90d09eb76a8e38a5cd4aade

SHA1
ce372181f195ca0cf857a58dd74aa4e83c9ba2e4

SHA256
d0439191e73c577176d03f7ea3bb574efc66b3c10c5456788c5b81fca1a7b77f

SHA512
965c1caa8777db12ec7462954ba2070b074fce3d22d27f3135016d478a4fda9ce94aedba484ed674436480412771104136086c3b03e165e57c3cbb7e3f1a327e

Download Submit
C:\Program Files (x86)\data.exe
Filesize
72KB

MD5
04690084d90d09eb76a8e38a5cd4aade

SHA1
ce372181f195ca0cf857a58dd74aa4e83c9ba2e4

SHA256
d0439191e73c577176d03f7ea3bb574efc66b3c10c5456788c5b81fca1a7b77f

SHA512
965c1caa8777db12ec7462954ba2070b074fce3d22d27f3135016d478a4fda9ce94aedba484ed674436480412771104136086c3b03e165e57c3cbb7e3f1a327e

Download Submit
C:\Program Files\7-Zip\Lang\update.exe
Filesize
72KB

MD5
5b93e80e7e013193dcb739cb9824ad26

SHA1
00d76db61bae9797ce7155c0892866cf982ab688

SHA256
f54d99c18271552ec83035bc1419d169ca253d4b421a489f7dfe6da1991ad0bc

SHA512
ebae1a6ef4f4f35eb4897ab127d1b2f3085bcacc9c0ca808d227fd3e02961bc6879bf24a01589ef518c439baf3c0b91d5650cad5d61eb8ff696ee8b2e4b64912

Download Submit
C:\Program Files\7-Zip\Lang\update.exe
Filesize
72KB

MD5
5b93e80e7e013193dcb739cb9824ad26

SHA1
00d76db61bae9797ce7155c0892866cf982ab688

SHA256
f54d99c18271552ec83035bc1419d169ca253d4b421a489f7dfe6da1991ad0bc

SHA512
ebae1a6ef4f4f35eb4897ab127d1b2f3085bcacc9c0ca808d227fd3e02961bc6879bf24a01589ef518c439baf3c0b91d5650cad5d61eb8ff696ee8b2e4b64912

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
f45ff90b555b481553b723912768c0a9

SHA1
98450d5760e7a95f826249c78549e41e4facaf3a

SHA256
197b9743abd98bcc8ce0261b084263d70334fe57268931feae242e9555ee9fa1

SHA512
854237da80e45cf4b5ea5f0df26e059da2995fa889e47e5fc5414b2ccddac1853a54b26becbbe579b47521c812b921b735673d644c7364d33022056da5185f41

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
f45ff90b555b481553b723912768c0a9

SHA1
98450d5760e7a95f826249c78549e41e4facaf3a

SHA256
197b9743abd98bcc8ce0261b084263d70334fe57268931feae242e9555ee9fa1

SHA512
854237da80e45cf4b5ea5f0df26e059da2995fa889e47e5fc5414b2ccddac1853a54b26becbbe579b47521c812b921b735673d644c7364d33022056da5185f41

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe
Filesize
72KB

MD5
1596f71181bcf4d48ed185ad7145f356

SHA1
4a439479c78b1a60ce26e56b6c0b5eeb0fc862bf

SHA256
b2c86bf6117d46e64e87b971cb852ab031d0763d38de8bd2ad048f301ce55799

SHA512
0293f4aaf63eaa5f39d914f58fc0b8c820a12b2b08ceb00aa307451fda3a2f2afb1c5ae78f284ab9898360400bf7e350f23793a948ae839f9a304cb641e02735

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe
Filesize
72KB

MD5
1596f71181bcf4d48ed185ad7145f356

SHA1
4a439479c78b1a60ce26e56b6c0b5eeb0fc862bf

SHA256
b2c86bf6117d46e64e87b971cb852ab031d0763d38de8bd2ad048f301ce55799

SHA512
0293f4aaf63eaa5f39d914f58fc0b8c820a12b2b08ceb00aa307451fda3a2f2afb1c5ae78f284ab9898360400bf7e350f23793a948ae839f9a304cb641e02735

Download Submit
C:\Program Files\Common Files\Services\backup.exe
Filesize
72KB

MD5
e3f2377e71fbf5ca1ae6e80a2f015b7f

SHA1
7b80482a74704d922b23f44dc235922ca785f59f

SHA256
1cdf3395accc18ba0842db7eb359d81db85982f920e7091927dee9ecef50e905

SHA512
d22854470db2e2096ecb9824a74b1a115958ef12c179c74c071d94efe4878a9a8bc4013efb7c86b7208305ecd0d03adb9cfddf501eda55aaa3dd2980b06cb306

Download Submit
C:\Program Files\Common Files\Services\backup.exe
Filesize
72KB

MD5
e3f2377e71fbf5ca1ae6e80a2f015b7f

SHA1
7b80482a74704d922b23f44dc235922ca785f59f

SHA256
1cdf3395accc18ba0842db7eb359d81db85982f920e7091927dee9ecef50e905

SHA512
d22854470db2e2096ecb9824a74b1a115958ef12c179c74c071d94efe4878a9a8bc4013efb7c86b7208305ecd0d03adb9cfddf501eda55aaa3dd2980b06cb306

Download Submit
C:\Program Files\Common Files\System\backup.exe
Filesize
72KB

MD5
8476366b087befc931d8f7334ff9c200

SHA1
6e9ed2423d4fcd2b58ec02f1665b7b91ae017ed4

SHA256
0611ce2a9a459e871886e27e6ecf1f218052ae05711fcdc4621c9c0147ae327c

SHA512
2ee74baa86fb637a8e1bc44a755c0c6c0d9a8b10fff550f0f2f60a05bf62b9c49f0335874544130a128cfdc240e97cc9119b572b7d08e8a72bc1fb7b3c835ef4

Download Submit
C:\Program Files\Common Files\System\backup.exe
Filesize
72KB

MD5
8476366b087befc931d8f7334ff9c200

SHA1
6e9ed2423d4fcd2b58ec02f1665b7b91ae017ed4

SHA256
0611ce2a9a459e871886e27e6ecf1f218052ae05711fcdc4621c9c0147ae327c

SHA512
2ee74baa86fb637a8e1bc44a755c0c6c0d9a8b10fff550f0f2f60a05bf62b9c49f0335874544130a128cfdc240e97cc9119b572b7d08e8a72bc1fb7b3c835ef4

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
33d4cbbc10f53a3616ffc91f5f28950e

SHA1
17db2beab1de14221ab682a8a259ef2ac81c0901

SHA256
c97b022c6d4d8abf6a3bdb35b46d24a4b88b997d63cdc1b826f81075f21f1415

SHA512
29b669dd4806935dbe44efa2bd53e423c2bdc83d173e1cba2dbd9c0b7358fc2f6d2dcad10a48d6af02d0f22cdfdf99ddf654596de84b8d214a876a8d173489a8

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
33d4cbbc10f53a3616ffc91f5f28950e

SHA1
17db2beab1de14221ab682a8a259ef2ac81c0901

SHA256
c97b022c6d4d8abf6a3bdb35b46d24a4b88b997d63cdc1b826f81075f21f1415

SHA512
29b669dd4806935dbe44efa2bd53e423c2bdc83d173e1cba2dbd9c0b7358fc2f6d2dcad10a48d6af02d0f22cdfdf99ddf654596de84b8d214a876a8d173489a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe
Filesize
72KB

MD5
8fafe4bfc0111dd89824e496641cd880

SHA1
3c007835201c62969b3e727f44c95247d93e95fb

SHA256
c0fa1c0f57fd9697297be77256f8eb6cd94ef3673f88bfa0a5d93d2c075fa283

SHA512
7d9f519fe423984547eaae5365c39f84cd3821ead876baf3d693e651a84526a89bda6e02955885e0bb72f3efe8d2fcac9ac9b3d99380646e31419af9cc886780

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\update.exe
Filesize
72KB

MD5
8fafe4bfc0111dd89824e496641cd880

SHA1
3c007835201c62969b3e727f44c95247d93e95fb

SHA256
c0fa1c0f57fd9697297be77256f8eb6cd94ef3673f88bfa0a5d93d2c075fa283

SHA512
7d9f519fe423984547eaae5365c39f84cd3821ead876baf3d693e651a84526a89bda6e02955885e0bb72f3efe8d2fcac9ac9b3d99380646e31419af9cc886780

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
Filesize
72KB

MD5
93c24ec421b419fc90dbf432cccfa058

SHA1
ea930dcf306f2cc4705d5247d712f15215701221

SHA256
ccbc97d51b3a396c0963dc04f6a9e0c3e20e3c267fd8e5205bab874740a0c654

SHA512
bda8c95c517b35d1863140cf14020a72b12389657c032aa207fafb870e429a481e1f57ff2010eb2090f4928ca5f78201e039f08ccbe9d00e84cf986aa6565dd7

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
Filesize
72KB

MD5
93c24ec421b419fc90dbf432cccfa058

SHA1
ea930dcf306f2cc4705d5247d712f15215701221

SHA256
ccbc97d51b3a396c0963dc04f6a9e0c3e20e3c267fd8e5205bab874740a0c654

SHA512
bda8c95c517b35d1863140cf14020a72b12389657c032aa207fafb870e429a481e1f57ff2010eb2090f4928ca5f78201e039f08ccbe9d00e84cf986aa6565dd7

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe
Filesize
72KB

MD5
1596f71181bcf4d48ed185ad7145f356

SHA1
4a439479c78b1a60ce26e56b6c0b5eeb0fc862bf

SHA256
b2c86bf6117d46e64e87b971cb852ab031d0763d38de8bd2ad048f301ce55799

SHA512
0293f4aaf63eaa5f39d914f58fc0b8c820a12b2b08ceb00aa307451fda3a2f2afb1c5ae78f284ab9898360400bf7e350f23793a948ae839f9a304cb641e02735

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe
Filesize
72KB

MD5
1596f71181bcf4d48ed185ad7145f356

SHA1
4a439479c78b1a60ce26e56b6c0b5eeb0fc862bf

SHA256
b2c86bf6117d46e64e87b971cb852ab031d0763d38de8bd2ad048f301ce55799

SHA512
0293f4aaf63eaa5f39d914f58fc0b8c820a12b2b08ceb00aa307451fda3a2f2afb1c5ae78f284ab9898360400bf7e350f23793a948ae839f9a304cb641e02735

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
16e5909de70a5d8d3d3cabc57ffd9487

SHA1
e2e01408cbb9b64855cc0b807889b532c77f98b0

SHA256
8052d95cfa56c3fe4bf074e14a1fbda4d27c29f4d151aa4c6033704afda5e082

SHA512
ab9365ce8f01a71702d9958de02c2254b1e1900b90517162f13b777d2b8f1fce71c6e50e37476374e2900b81ca3424bbf3c53d24086760f1f4caad06e4861b60

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
16e5909de70a5d8d3d3cabc57ffd9487

SHA1
e2e01408cbb9b64855cc0b807889b532c77f98b0

SHA256
8052d95cfa56c3fe4bf074e14a1fbda4d27c29f4d151aa4c6033704afda5e082

SHA512
ab9365ce8f01a71702d9958de02c2254b1e1900b90517162f13b777d2b8f1fce71c6e50e37476374e2900b81ca3424bbf3c53d24086760f1f4caad06e4861b60

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe
Filesize
72KB

MD5
487e4d4c9dbbc625328b314269daa375

SHA1
f0f0c719df01928803b4a9a95ef8fc14365d6efc

SHA256
f43cc8c2f33b05f58550caca80f859569e8282dc1c9bebe4a59c29e2ae92004f

SHA512
f4a69af6bb43c0d49a9cf1b55e11687b46e93096293c86e0d31cbd91e38659876472ba263ce33eeb70916224d94d2da91e4c21a6e3145e202b1fbd2a6c7426f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe
Filesize
72KB

MD5
487e4d4c9dbbc625328b314269daa375

SHA1
f0f0c719df01928803b4a9a95ef8fc14365d6efc

SHA256
f43cc8c2f33b05f58550caca80f859569e8282dc1c9bebe4a59c29e2ae92004f

SHA512
f4a69af6bb43c0d49a9cf1b55e11687b46e93096293c86e0d31cbd91e38659876472ba263ce33eeb70916224d94d2da91e4c21a6e3145e202b1fbd2a6c7426f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
2b0a3064b4a1ace8cc4a8390840bc27d

SHA1
869aba049770be8220c16e7c092efc0a6538b766

SHA256
f182570ee753566a22a17f4a962e653852031e856c2e53416f984d354bcaa6a0

SHA512
e428ea5ce01a942bea05ed18e3d64f3e62a5b3cc553fe2823a05e5a5381326e340a56b4601039d7160f21572817fb57dffaa4889810f3560400e82cc48ff1246

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
2b0a3064b4a1ace8cc4a8390840bc27d

SHA1
869aba049770be8220c16e7c092efc0a6538b766

SHA256
f182570ee753566a22a17f4a962e653852031e856c2e53416f984d354bcaa6a0

SHA512
e428ea5ce01a942bea05ed18e3d64f3e62a5b3cc553fe2823a05e5a5381326e340a56b4601039d7160f21572817fb57dffaa4889810f3560400e82cc48ff1246

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
4880f0f50644418835eaffbda65673cb

SHA1
5322531b4d3ecd968ca4f8840f9f071dc0e7e4c1

SHA256
3a34924b800937148e61abbf1c508d4d42c644e3764e0babfc92578412b13281

SHA512
f4662736965c9396f24f5e7613beee46606ecf9c569edd11d9ec109cbe06e82692cd03fc642390bb6182b37ae2c44a2accf0fbbf27413bf7367baaf18f39fa18

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
4880f0f50644418835eaffbda65673cb

SHA1
5322531b4d3ecd968ca4f8840f9f071dc0e7e4c1

SHA256
3a34924b800937148e61abbf1c508d4d42c644e3764e0babfc92578412b13281

SHA512
f4662736965c9396f24f5e7613beee46606ecf9c569edd11d9ec109cbe06e82692cd03fc642390bb6182b37ae2c44a2accf0fbbf27413bf7367baaf18f39fa18

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe
Filesize
72KB

MD5
b40198bbe17f7d2523d6df934804d5ae

SHA1
fb7ef14a4f1f58019efd010658f36e763ae084f8

SHA256
8dd5e5f1b676c26b1caaaf4fdeb93a08850dbac38d43d116f62f1d8e5024020e

SHA512
11f67e15c786f0b60d51fae5cbb0a28679056bf8e7ca8fc156b6ff94b4aef1893015cace028c582b0da8fb6378e614a8e7bb1b73caf925b1c5a4e6af3469bb68

Download Submit
C:\Program Files\Google\Chrome\Application\backup.exe
Filesize
72KB

MD5
b40198bbe17f7d2523d6df934804d5ae

SHA1
fb7ef14a4f1f58019efd010658f36e763ae084f8

SHA256
8dd5e5f1b676c26b1caaaf4fdeb93a08850dbac38d43d116f62f1d8e5024020e

SHA512
11f67e15c786f0b60d51fae5cbb0a28679056bf8e7ca8fc156b6ff94b4aef1893015cace028c582b0da8fb6378e614a8e7bb1b73caf925b1c5a4e6af3469bb68

Download Submit
C:\Program Files\Google\Chrome\backup.exe
Filesize
72KB

MD5
e784afb9cbae57c63d208ab1342cd6d3

SHA1
868bf3204106e90e2cf347135cf5a11d3e9a581f

SHA256
0b5812c091a67fa03657ccb61ad713b6e522062ebfab9958d8277f62354ea992

SHA512
59f972c65f14e2eaf53d5ae270444af520f379c0fb0dfd550a004f0927cd9ba16bcc6dd22bcf14f797f6a2114dcd1bd453daff72730e166a0ce436911565cfdf

Download Submit
C:\Program Files\Google\Chrome\backup.exe
Filesize
72KB

MD5
e784afb9cbae57c63d208ab1342cd6d3

SHA1
868bf3204106e90e2cf347135cf5a11d3e9a581f

SHA256
0b5812c091a67fa03657ccb61ad713b6e522062ebfab9958d8277f62354ea992

SHA512
59f972c65f14e2eaf53d5ae270444af520f379c0fb0dfd550a004f0927cd9ba16bcc6dd22bcf14f797f6a2114dcd1bd453daff72730e166a0ce436911565cfdf

Download Submit
C:\Program Files\Google\backup.exe
Filesize
72KB

MD5
198041d5b5b33a21fdc9a4f0812925fa

SHA1
0d732f9786f037013783d45b596f7e91277ac57a

SHA256
3eb6751d2c20acb77391b941fbcade672223334136e2d5dbf2621b4d7e29441b

SHA512
eddb5f6603deaab669b49e6b40197a4cff69b9c6c038e57e7dcf982488c699c76a68a7e7be340bb6a4bed2bb0bb0288f81a4c5a33a3feff8061e4b7f97cd8b46

Download Submit
C:\Program Files\Google\backup.exe
Filesize
72KB

MD5
198041d5b5b33a21fdc9a4f0812925fa

SHA1
0d732f9786f037013783d45b596f7e91277ac57a

SHA256
3eb6751d2c20acb77391b941fbcade672223334136e2d5dbf2621b4d7e29441b

SHA512
eddb5f6603deaab669b49e6b40197a4cff69b9c6c038e57e7dcf982488c699c76a68a7e7be340bb6a4bed2bb0bb0288f81a4c5a33a3feff8061e4b7f97cd8b46

Download Submit
C:\Program Files\Internet Explorer\backup.exe
Filesize
72KB

MD5
9e35c673c4b5315fbc64237ec8b82cfc

SHA1
d50e2b01232eb3d544be06645d591400f8efef0b

SHA256
65f49b0defd5037a29935c260c72252e6d17f678d0e26cbb2769478fd63a460a

SHA512
9bbb168cd2e2aabdc343c94b12a9c1754ada4eadafa65eb0d18ca0310360569acea6f8a201161c099ccc183a2e5d497cf928a14598d1cc0a27591ed453a60267

Download Submit
C:\Program Files\Internet Explorer\backup.exe
Filesize
72KB

MD5
9e35c673c4b5315fbc64237ec8b82cfc

SHA1
d50e2b01232eb3d544be06645d591400f8efef0b

SHA256
65f49b0defd5037a29935c260c72252e6d17f678d0e26cbb2769478fd63a460a

SHA512
9bbb168cd2e2aabdc343c94b12a9c1754ada4eadafa65eb0d18ca0310360569acea6f8a201161c099ccc183a2e5d497cf928a14598d1cc0a27591ed453a60267

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
f9cd9ec4a59ce43dfbb974390a62cc5b

SHA1
952a5cbb0d8870ca3cfca89b82814b8fd646b17d

SHA256
5f19f81041e0fde6470618be7e53f3ec77842e83b689ec1dbe66394a085578e1

SHA512
a05f735eea42902adace20c03fede35fc0da7ec480a9819af41d7fe2e1fd6b334fff27929b6a7b7cc2d60716246990e803a96f51722fe674d04d1e6de673aae8

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
f9cd9ec4a59ce43dfbb974390a62cc5b

SHA1
952a5cbb0d8870ca3cfca89b82814b8fd646b17d

SHA256
5f19f81041e0fde6470618be7e53f3ec77842e83b689ec1dbe66394a085578e1

SHA512
a05f735eea42902adace20c03fede35fc0da7ec480a9819af41d7fe2e1fd6b334fff27929b6a7b7cc2d60716246990e803a96f51722fe674d04d1e6de673aae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1366931039\backup.exe
Filesize
72KB

MD5
eeb83a6e5abf2e69c4220cecae9b8463

SHA1
62f747d06168a8a9346b6dbe1aded62f1a6f5643

SHA256
4bce3b2fe628d5c0695afe03e1d037eaa14cc4e9cd5bb6849d0b5fdaa3c54b58

SHA512
35e1d7d278da362098dfbb324ce03eb8bcf2bbf599aba508ecfbe21092cc235f9000bfdd11abf6de7ba5be395faf93ef33deb8d77782bf1d121dedae9e68a0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1366931039\backup.exe
Filesize
72KB

MD5
eeb83a6e5abf2e69c4220cecae9b8463

SHA1
62f747d06168a8a9346b6dbe1aded62f1a6f5643

SHA256
4bce3b2fe628d5c0695afe03e1d037eaa14cc4e9cd5bb6849d0b5fdaa3c54b58

SHA512
35e1d7d278da362098dfbb324ce03eb8bcf2bbf599aba508ecfbe21092cc235f9000bfdd11abf6de7ba5be395faf93ef33deb8d77782bf1d121dedae9e68a0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
82af4f67ee37840439898d837caeab0c

SHA1
e471451046a2a8bf7f5113252c87c7b5a6c38bfb

SHA256
35fe35fe6a0ca3067f938098d14dbf075276b1954ac21d4d98ae1522d4719e85

SHA512
b855872307f2975b1f34eec38b0695a10329bef1e00e0ca332f82bebc9b66f2546ce7b59b03eebf5d3d41c14c210fe74f34fc2add4dd8bc78eed96fc730d3b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
25c4e373a358ccd118ba6bdf97beada1

SHA1
4bfc173497dfe43aa2f76a6d715bc3ea98a20ab6

SHA256
d029e4670af92a11297430b3cfbe4d21a94533cef2cb7421335d4cfeffa5c330

SHA512
94038e52ea508756dce3d7877eef27f933cca18f18fe217c67f5dab468b6334774435e81070228e0e6fd9c8894b5aad11d91df8252beb22059832d425f31735e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
25c4e373a358ccd118ba6bdf97beada1

SHA1
4bfc173497dfe43aa2f76a6d715bc3ea98a20ab6

SHA256
d029e4670af92a11297430b3cfbe4d21a94533cef2cb7421335d4cfeffa5c330

SHA512
94038e52ea508756dce3d7877eef27f933cca18f18fe217c67f5dab468b6334774435e81070228e0e6fd9c8894b5aad11d91df8252beb22059832d425f31735e

Download Submit
C:\Users\backup.exe
Filesize
72KB

MD5
3c81c00b3e5dadbb19f55e9e6f6abd97

SHA1
866e6143644d70060d5a2eed7ca38bc26525399b

SHA256
29bf4ed1eac2583a179524df698f5c82e7e227ccae8a594cdfa881d5ebe6927b

SHA512
6bcc0c31dec69b378fe069cfb29ff8352108b37c8757cf15d7ea210829af0aa467f2e6cbc588a4a29fbc23badf16f83e4fc671db238bf0f5f4b21f67dc55ee98

Download Submit
C:\Users\backup.exe
Filesize
72KB

MD5
3c81c00b3e5dadbb19f55e9e6f6abd97

SHA1
866e6143644d70060d5a2eed7ca38bc26525399b

SHA256
29bf4ed1eac2583a179524df698f5c82e7e227ccae8a594cdfa881d5ebe6927b

SHA512
6bcc0c31dec69b378fe069cfb29ff8352108b37c8757cf15d7ea210829af0aa467f2e6cbc588a4a29fbc23badf16f83e4fc671db238bf0f5f4b21f67dc55ee98

Download Submit
C:\backup.exe
Filesize
72KB

MD5
ef5c94eabbed6659460168d4a0e77d24

SHA1
89017deec438741810c68b1d21cce97e3983f619

SHA256
ba8eaaf0131cd64cda2cb29581dea26370eaf77c82437264aaa4042d8c859f9d

SHA512
7a08d1c762f73d0b6f09f675dd5e90219e2e1aa323c2016644aa8a1b5bef07ecf1f2ad3bc9d38a48dae10d59d27574f5a7c8222cfd629f032aa1b2d39892dc96

Download Submit
C:\backup.exe
Filesize
72KB

MD5
ef5c94eabbed6659460168d4a0e77d24

SHA1
89017deec438741810c68b1d21cce97e3983f619

SHA256
ba8eaaf0131cd64cda2cb29581dea26370eaf77c82437264aaa4042d8c859f9d

SHA512
7a08d1c762f73d0b6f09f675dd5e90219e2e1aa323c2016644aa8a1b5bef07ecf1f2ad3bc9d38a48dae10d59d27574f5a7c8222cfd629f032aa1b2d39892dc96

Download Submit
C:\odt\backup.exe
Filesize
72KB

MD5
f9cd9ec4a59ce43dfbb974390a62cc5b

SHA1
952a5cbb0d8870ca3cfca89b82814b8fd646b17d

SHA256
5f19f81041e0fde6470618be7e53f3ec77842e83b689ec1dbe66394a085578e1

SHA512
a05f735eea42902adace20c03fede35fc0da7ec480a9819af41d7fe2e1fd6b334fff27929b6a7b7cc2d60716246990e803a96f51722fe674d04d1e6de673aae8

Download Submit
C:\odt\backup.exe
Filesize
72KB

MD5
f9cd9ec4a59ce43dfbb974390a62cc5b

SHA1
952a5cbb0d8870ca3cfca89b82814b8fd646b17d

SHA256
5f19f81041e0fde6470618be7e53f3ec77842e83b689ec1dbe66394a085578e1

SHA512
a05f735eea42902adace20c03fede35fc0da7ec480a9819af41d7fe2e1fd6b334fff27929b6a7b7cc2d60716246990e803a96f51722fe674d04d1e6de673aae8

Download Submit
memory/32-144-0x0000000000000000-mapping.dmp

Download
memory/312-174-0x0000000000000000-mapping.dmp

Download
memory/444-324-0x0000000000000000-mapping.dmp

Download
memory/460-228-0x0000000000000000-mapping.dmp

Download
memory/548-364-0x0000000000000000-mapping.dmp

Download
memory/564-199-0x0000000000000000-mapping.dmp

Download
memory/768-303-0x0000000000000000-mapping.dmp

Download
memory/920-358-0x0000000000000000-mapping.dmp

Download
memory/1096-246-0x0000000000000000-mapping.dmp

Download
memory/1112-274-0x0000000000000000-mapping.dmp

Download
memory/1176-264-0x0000000000000000-mapping.dmp

Download
memory/1180-337-0x0000000000000000-mapping.dmp

Download
memory/1416-341-0x0000000000000000-mapping.dmp

Download
memory/1516-366-0x0000000000000000-mapping.dmp

Download
memory/1560-365-0x0000000000000000-mapping.dmp

Download
memory/1988-225-0x0000000000000000-mapping.dmp

Download
memory/2036-297-0x0000000000000000-mapping.dmp

Download
memory/2176-376-0x0000000000000000-mapping.dmp

Download
memory/2284-335-0x0000000000000000-mapping.dmp

Download
memory/2368-149-0x0000000000000000-mapping.dmp

Download
memory/2428-369-0x0000000000000000-mapping.dmp

Download
memory/2484-312-0x0000000000000000-mapping.dmp

Download
memory/2624-362-0x0000000000000000-mapping.dmp

Download
memory/2696-330-0x0000000000000000-mapping.dmp

Download
memory/2808-224-0x0000000000000000-mapping.dmp

Download
memory/2960-338-0x0000000000000000-mapping.dmp

Download
memory/3012-184-0x0000000000000000-mapping.dmp

Download
memory/3172-360-0x0000000000000000-mapping.dmp

Download
memory/3464-377-0x0000000000000000-mapping.dmp

Download
memory/3468-204-0x0000000000000000-mapping.dmp

Download
memory/3484-245-0x0000000000000000-mapping.dmp

Download
memory/3504-298-0x0000000000000000-mapping.dmp

Download
memory/3652-333-0x0000000000000000-mapping.dmp

Download
memory/3676-167-0x0000000000000000-mapping.dmp

Download
memory/3700-314-0x0000000000000000-mapping.dmp

Download
memory/3880-164-0x0000000000000000-mapping.dmp

Download
memory/3976-247-0x0000000000000000-mapping.dmp

Download
memory/3988-313-0x0000000000000000-mapping.dmp

Download
memory/4028-159-0x0000000000000000-mapping.dmp

Download
memory/4068-310-0x0000000000000000-mapping.dmp

Download
memory/4116-230-0x0000000000000000-mapping.dmp

Download
memory/4120-352-0x0000000000000000-mapping.dmp

Download
memory/4200-347-0x0000000000000000-mapping.dmp

Download
memory/4240-219-0x0000000000000000-mapping.dmp

Download
memory/4288-134-0x0000000000000000-mapping.dmp

Download
memory/4292-340-0x0000000000000000-mapping.dmp

Download
memory/4368-334-0x0000000000000000-mapping.dmp

Download
memory/4376-244-0x0000000000000000-mapping.dmp

Download
memory/4384-270-0x0000000000000000-mapping.dmp

Download
memory/4440-269-0x0000000000000000-mapping.dmp

Download
memory/4588-179-0x0000000000000000-mapping.dmp

Download
memory/4664-214-0x0000000000000000-mapping.dmp

Download
memory/4672-309-0x0000000000000000-mapping.dmp

Download
memory/4748-306-0x0000000000000000-mapping.dmp

Download
memory/4768-273-0x0000000000000000-mapping.dmp

Download
memory/4772-339-0x0000000000000000-mapping.dmp

Download
memory/4788-139-0x0000000000000000-mapping.dmp

Download
memory/4796-209-0x0000000000000000-mapping.dmp

Download
memory/4828-271-0x0000000000000000-mapping.dmp

Download
memory/4832-272-0x0000000000000000-mapping.dmp

Download
memory/5020-154-0x0000000000000000-mapping.dmp

Download
memory/5056-311-0x0000000000000000-mapping.dmp

Download
memory/5096-194-0x0000000000000000-mapping.dmp

Download
memory/5108-189-0x0000000000000000-mapping.dmp

Download