ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9

Analysis

max time kernel
164s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe
Size

72KB
MD5

09f8bae370fedff4378672755d68750c
SHA1

43a8206ba38e9019c6c515918e51b607cd5c00c6
SHA256

ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9
SHA512

29213ffc56d9685d382cd590f9f7e1d2ebfb2eeb7a33d2a374ff07356c56be64067e0625219c564f1d742bfe986d01208f249fdff4ef6208bfc2693707be72a8
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2Q:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPk

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2068	backup.exe
4452	backup.exe
3960	data.exe
4588	backup.exe
1140	backup.exe
4624	backup.exe
4784	backup.exe
4688	backup.exe
4612	backup.exe
5048	backup.exe
2040	backup.exe
4724	backup.exe
4180	backup.exe
4616	backup.exe
2512	backup.exe
2132	backup.exe
5104	backup.exe
5088	data.exe
2848	data.exe
2436	backup.exe
1948	backup.exe
3656	backup.exe
1084	backup.exe
4268	backup.exe
3508	backup.exe
5112	backup.exe
4440	update.exe
4328	backup.exe
64	backup.exe
4404	backup.exe
4072	backup.exe
3132	backup.exe
1696	backup.exe
4504	backup.exe
3220	backup.exe
3728	backup.exe
824	backup.exe
2916	backup.exe
2456	backup.exe
2688	data.exe
1112	backup.exe
1488	backup.exe
4068	backup.exe
4084	backup.exe
4080	backup.exe
636	backup.exe
1656	backup.exe
3116	backup.exe
4368	backup.exe
560	backup.exe
4712	backup.exe
4336	backup.exe
1048	backup.exe
4304	backup.exe
3148	update.exe
4556	backup.exe
2040	backup.exe
2260	backup.exe
1884	backup.exe
2352	System Restore.exe
5064	backup.exe
4988	backup.exe
4500	data.exe
4444	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Icons\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\update.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Media Player\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe	backup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\data.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\diagnostics\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\serviced\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\shellbrd\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\backup.exe	backup.exe
File opened for modification	C:\Windows\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\backup.exe	backup.exe
File opened for modification	C:\Windows\DiagTrack\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe
2068	backup.exe
4452	backup.exe
3960	data.exe
4588	backup.exe
1140	backup.exe
4624	backup.exe
4784	backup.exe
4612	backup.exe
4688	backup.exe
5048	backup.exe
2040	backup.exe
4724	backup.exe
4180	backup.exe
4616	backup.exe
2512	backup.exe
2132	backup.exe
5104	backup.exe
5088	data.exe
2848	data.exe
2436	backup.exe
3656	backup.exe
1948	backup.exe
1084	backup.exe
4268	backup.exe
3508	backup.exe
5112	backup.exe
4440	update.exe
64	backup.exe
4328	backup.exe
4404	backup.exe
4072	backup.exe
3132	backup.exe
4504	backup.exe
1696	backup.exe
3220	backup.exe
3728	backup.exe
824	backup.exe
2916	backup.exe
2456	backup.exe
2688	data.exe
1112	backup.exe
1488	backup.exe
4084	backup.exe
4068	backup.exe
4080	backup.exe
636	backup.exe
1656	backup.exe
3116	backup.exe
4368	backup.exe
560	backup.exe
4336	backup.exe
4712	backup.exe
1048	backup.exe
4304	backup.exe
3148	update.exe
2040	backup.exe
4556	backup.exe
2260	backup.exe
1884	backup.exe
2352	System Restore.exe
5064	backup.exe
4500	data.exe
4988	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 2068	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	81
PID 3916 wrote to memory of 2068	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	81
PID 3916 wrote to memory of 2068	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	81
PID 3916 wrote to memory of 4452	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	82
PID 3916 wrote to memory of 4452	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	82
PID 3916 wrote to memory of 4452	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	82
PID 3916 wrote to memory of 3960	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	83
PID 3916 wrote to memory of 3960	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	83
PID 3916 wrote to memory of 3960	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	83
PID 2068 wrote to memory of 4588	2068	backup.exe	84
PID 2068 wrote to memory of 4588	2068	backup.exe	84
PID 2068 wrote to memory of 4588	2068	backup.exe	84
PID 3916 wrote to memory of 1140	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	85
PID 3916 wrote to memory of 1140	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	85
PID 3916 wrote to memory of 1140	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	85
PID 4588 wrote to memory of 4624	4588	backup.exe	86
PID 4588 wrote to memory of 4624	4588	backup.exe	86
PID 4588 wrote to memory of 4624	4588	backup.exe	86
PID 3916 wrote to memory of 4784	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	87
PID 3916 wrote to memory of 4784	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	87
PID 3916 wrote to memory of 4784	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	87
PID 4588 wrote to memory of 4612	4588	backup.exe	88
PID 4588 wrote to memory of 4612	4588	backup.exe	88
PID 4588 wrote to memory of 4612	4588	backup.exe	88
PID 3916 wrote to memory of 4688	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	89
PID 3916 wrote to memory of 4688	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	89
PID 3916 wrote to memory of 4688	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	89
PID 4588 wrote to memory of 5048	4588	backup.exe	90
PID 4588 wrote to memory of 5048	4588	backup.exe	90
PID 4588 wrote to memory of 5048	4588	backup.exe	90
PID 3916 wrote to memory of 2040	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	91
PID 3916 wrote to memory of 2040	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	91
PID 3916 wrote to memory of 2040	3916	ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe	91
PID 5048 wrote to memory of 4724	5048	backup.exe	92
PID 5048 wrote to memory of 4724	5048	backup.exe	92
PID 5048 wrote to memory of 4724	5048	backup.exe	92
PID 4724 wrote to memory of 4180	4724	backup.exe	93
PID 4724 wrote to memory of 4180	4724	backup.exe	93
PID 4724 wrote to memory of 4180	4724	backup.exe	93
PID 5048 wrote to memory of 4616	5048	backup.exe	94
PID 5048 wrote to memory of 4616	5048	backup.exe	94
PID 5048 wrote to memory of 4616	5048	backup.exe	94
PID 4616 wrote to memory of 2512	4616	backup.exe	95
PID 4616 wrote to memory of 2512	4616	backup.exe	95
PID 4616 wrote to memory of 2512	4616	backup.exe	95
PID 4616 wrote to memory of 2132	4616	backup.exe	96
PID 4616 wrote to memory of 2132	4616	backup.exe	96
PID 4616 wrote to memory of 2132	4616	backup.exe	96
PID 2132 wrote to memory of 5104	2132	backup.exe	97
PID 2132 wrote to memory of 5104	2132	backup.exe	97
PID 2132 wrote to memory of 5104	2132	backup.exe	97
PID 2132 wrote to memory of 5088	2132	backup.exe	98
PID 2132 wrote to memory of 5088	2132	backup.exe	98
PID 2132 wrote to memory of 5088	2132	backup.exe	98
PID 5088 wrote to memory of 2848	5088	data.exe	99
PID 5088 wrote to memory of 2848	5088	data.exe	99
PID 5088 wrote to memory of 2848	5088	data.exe	99
PID 5088 wrote to memory of 2436	5088	data.exe	100
PID 5088 wrote to memory of 2436	5088	data.exe	100
PID 5088 wrote to memory of 2436	5088	data.exe	100
PID 4588 wrote to memory of 3656	4588	backup.exe	103
PID 4588 wrote to memory of 3656	4588	backup.exe	103
PID 4588 wrote to memory of 3656	4588	backup.exe	103
PID 5088 wrote to memory of 1948	5088	data.exe	104

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe
"C:\Users\Admin\AppData\Local\Temp\ad87e90407a38a4d8c12de014358c273329c24befe57aedd541e9b858a24d9e9.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\2353693535\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2353693535\backup.exe C:\Users\Admin\AppData\Local\Temp\2353693535\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4624
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4612
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4180
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4616
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2512
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2132
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Program Files\Common Files\microsoft shared\ink\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\data.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4080
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3148
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2352
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:3612
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Drops file in Program Files directory
        
        PID:548
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:4976
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        System policy modification
        
        PID:3472
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3112
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        System policy modification
        
        PID:1212
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:4656
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4020
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:3092
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:3764
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:2360
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2456
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:4552
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:3920
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:1760
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:1252
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1584
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:1364
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:448
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:2404
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:1488
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        System policy modification
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:4988
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:2856
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:4452
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3364
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:3080
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:3420
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1048
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:1356
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        System policy modification
        
        PID:1232
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:4656
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:3504
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:4472
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:744
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:4268
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3220
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3116
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:4296
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:2928
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\System Restore.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:3752
        
        C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3676
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:480
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:2316
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:484
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:3712
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:4820
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4736
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4328
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2916
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4304
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3400
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5112
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3728
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4336
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4556
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:5084
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:3548
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        System policy modification
        
        PID:2856
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:3468
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1372
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:4336
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:2524
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:4936
    - - C:\Program Files\Internet Explorer\data.exe
        
        "C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4500
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        System policy modification
        
        PID:3776
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1452
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4884
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1796
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:1428
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:744
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:3400
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3368
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:4088
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:1776
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:4052
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        Drops file in Program Files directory
        
        PID:4972
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:2304
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1144
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        
        PID:5104
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1604
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:4704
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        
        PID:3100
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        
        PID:3812
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        System policy modification
        
        PID:3368
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\data.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
        9⤵
        
        PID:3632
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\
        9⤵
        
        PID:1748
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3192
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\
        9⤵
        
        PID:3152
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\
        9⤵
        
        PID:3912
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\
        9⤵
        
        PID:4736
        
        C:\Program Files\Java\jdk1.8.0_66\lib\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        
        PID:4108
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        
        PID:3344
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
        9⤵
        
        PID:1012
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        Disables RegEdit via registry modification
        
        PID:4444
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        Disables RegEdit via registry modification
        
        PID:4724
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
        9⤵
        
        PID:1816
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\
        9⤵
        
        PID:1224
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2240
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        System policy modification
        
        PID:2036
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        System policy modification
        
        PID:5112
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        
        PID:832
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2240
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        
        PID:4048
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        
        PID:4304
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:2288
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1748
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        Disables RegEdit via registry modification
        
        PID:4624
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        11⤵
        Disables RegEdit via registry modification
        
        PID:4772
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        12⤵
        
        PID:548
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        10⤵
        
        PID:2456
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\
        9⤵
        
        PID:4724
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\
        8⤵
        Drops file in Program Files directory
        
        PID:2212
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\
        9⤵
        
        PID:4536
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\
        9⤵
        Drops file in Program Files directory
        
        PID:2404
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\
        10⤵
        Drops file in Program Files directory
        
        PID:2320
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:2036
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\
        10⤵
        
        PID:1288
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\
        10⤵
        Disables RegEdit via registry modification
        
        PID:3304
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\
        11⤵
        
        PID:4512
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\
        10⤵
        
        PID:1064
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\
        10⤵
        
        PID:4976
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\
        10⤵
        
        PID:3168
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\
        11⤵
        
        PID:216
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\
        10⤵
        
        PID:4676
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\
        10⤵
        
        PID:2896
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\
        9⤵
        
        PID:592
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:3728
        
        C:\Program Files\Java\jre1.8.0_66\bin\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\data.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:2464
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:4040
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:4580
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2012
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        
        PID:4048
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        
        PID:2856
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3364
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        
        PID:4296
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3984
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        System policy modification
        
        PID:428
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\System Restore.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\System Restore.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        
        PID:4028
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
        9⤵
        
        PID:3116
        
        C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
        8⤵
        System policy modification
        
        PID:4184
        
        C:\Program Files\Java\jre1.8.0_66\lib\management\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\management\update.exe" C:\Program Files\Java\jre1.8.0_66\lib\management\
        8⤵
        
        PID:2316
        
        C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\security\
        8⤵
        
        PID:4656
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2368
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:5060
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:4204
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:1976
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:1880
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:3980
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        System policy modification
        
        PID:428
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\data.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\data.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:3436
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4552
        
        C:\Program Files\Microsoft Office\root\fre\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\fre\System Restore.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:2272
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:4616
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:5096
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:1820
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:816
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:4444
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:1660
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        
        PID:5064
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:116
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        9⤵
        
        PID:4116
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        
        PID:4804
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4980
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        
        PID:4488
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:4480
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        
        PID:4220
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:4796
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:2608
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        
        PID:2688
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:3788
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\System Restore.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:2872
        
        C:\Program Files\Microsoft Office\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        
        PID:4668
        
        C:\Program Files\Microsoft Office\root\vreg\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vreg\backup.exe" C:\Program Files\Microsoft Office\root\vreg\
        7⤵
        
        PID:824
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1728
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:4680
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:3452
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\
        9⤵
        
        PID:232
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        System policy modification
        
        PID:4340
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2344
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\
        9⤵
        
        PID:4440
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\
        10⤵
        Drops file in Program Files directory
        
        PID:4328
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\
        11⤵
        Disables RegEdit via registry modification
        
        PID:1372
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\
        12⤵
        
        PID:1196
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        System policy modification
        
        PID:3692
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:4364
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        
        PID:3688
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Drops file in Program Files directory
        
        PID:1532
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:4588
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4504
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:3468
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2572
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:3456
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:1752
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:4616
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:2036
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        System policy modification
        
        PID:308
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:1328
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:892
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:1600
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        Drops file in Program Files directory
        
        PID:3204
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        Drops file in Program Files directory
        
        PID:3596
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:4676
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2284
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:1816
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:3560
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:3064
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:2508
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:3472
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:4380
        
        C:\Program Files\VideoLAN\VLC\lua\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\backup.exe" C:\Program Files\VideoLAN\VLC\lua\
        7⤵
        
        PID:3728
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
    - - C:\Program Files\Windows Media Player\backup.exe
        
        "C:\Program Files\Windows Media Player\backup.exe" C:\Program Files\Windows Media Player\
        5⤵
        
        PID:2344
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:3656
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3508
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:64
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:3368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:3800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4592
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        System policy modification
        
        PID:3696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:4736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:2064
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:4972
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:4176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:5084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        System policy modification
        
        PID:4668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Disables RegEdit via registry modification
        
        PID:3360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        System policy modification
        
        PID:4488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:2056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:3192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:3476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:3160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        Drops file in Program Files directory
        
        PID:4020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:3632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        Drops file in Program Files directory
        
        PID:4528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4192
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        
        PID:740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:4996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:4704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:5060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:3916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        
        PID:1540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:3456
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        
        PID:2984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        System policy modification
        
        PID:484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:4752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:3276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        System policy modification
        
        PID:4452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        System policy modification
        
        PID:1084
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        8⤵
        System policy modification
        
        PID:684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        9⤵
        
        PID:2292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:4460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        System policy modification
        
        PID:2952
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4988
      - C:\Program Files (x86)\Common Files\Adobe\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\data.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:3700
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1880
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        System policy modification
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Drops file in Program Files directory
        
        PID:4164
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1236
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:4296
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:1724
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:4368
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        Disables RegEdit via registry modification
        
        PID:4932
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Drops file in Program Files directory
        
        PID:3476
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:4332
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:3080
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:3460
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:4364
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:4852
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:4508
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:4040
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:2508
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        System policy modification
        
        PID:1368
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:372
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:4624
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        Drops file in Program Files directory
        
        PID:1212
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        Drops file in Windows directory
        
        PID:1508
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:4932
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:2592
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Drops file in Program Files directory
        
        PID:3328
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:3104
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:3948
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3344
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        System policy modification
        
        PID:3800
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:1088
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:2928
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2000
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1364
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:3808
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:4148
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1252
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        System policy modification
        
        PID:4628
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:384
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2060
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\data.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3112
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        10⤵
        Disables RegEdit via registry modification
        
        PID:4184
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:632
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1064
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1056
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        Drops file in Program Files directory
        
        PID:460
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:4052
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:4104
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2284
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:1820
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:3360
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4268
      - C:\Program Files (x86)\Common Files\System\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\System Restore.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:372
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:480
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:4308
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1712
        
        C:\Program Files (x86)\Common Files\System\Ole DB\data.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\data.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3772
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3084
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4388
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:3068
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Disables RegEdit via registry modification
        
        PID:5084
      - C:\Program Files (x86)\Google\Temp\update.exe
        
        "C:\Program Files (x86)\Google\Temp\update.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3724
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:4944
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1888
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3332
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1292
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        
        PID:3472
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:2764
        
        C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\update.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\update.exe" C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1884
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4076
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:768
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:3364
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        System policy modification
        
        PID:4108
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3540
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:2352
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        Disables RegEdit via registry modification
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        Drops file in Program Files directory
        
        PID:3132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:1940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:3612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        9⤵
        
        PID:3824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        9⤵
        
        PID:4780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        9⤵
        
        PID:1200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
        10⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        11⤵
        
        PID:3912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        9⤵
        
        PID:2580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        9⤵
        
        PID:3824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        10⤵
        
        PID:4868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        10⤵
        
        PID:4388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
        10⤵
        
        PID:4164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
        9⤵
        
        PID:3756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:4204
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        System policy modification
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\
        7⤵
        System policy modification
        
        PID:3924
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        
        PID:4312
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.167.21\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.167.21\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.167.21\
        9⤵
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        
        PID:2524
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\
        8⤵
        
        PID:1288
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\
        9⤵
        System policy modification
        
        PID:4924
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:5028
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        Drops file in Program Files directory
        
        PID:460
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:216
      - C:\Program Files (x86)\Microsoft.NET\RedistList\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\System Restore.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        System policy modification
        
        PID:4368
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:1112
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:3436
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:4512
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3168
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:4660
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:4280
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:3624
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        Drops file in Program Files directory
        
        PID:3984
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:4180
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:3116
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:2044
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:816
    - - C:\Program Files (x86)\Windows Media Player\data.exe
        
        "C:\Program Files (x86)\Windows Media Player\data.exe" C:\Program Files (x86)\Windows Media Player\
        5⤵
        Drops file in Program Files directory
        
        PID:4836
      - C:\Program Files (x86)\Windows Media Player\en-US\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\en-US\backup.exe" C:\Program Files (x86)\Windows Media Player\en-US\
        6⤵
        
        PID:3768
      - C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe" C:\Program Files (x86)\Windows Media Player\Media Renderer\
        6⤵
        
        PID:1972
    - - C:\Program Files (x86)\Windows Multimedia Platform\backup.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\backup.exe" C:\Program Files (x86)\Windows Multimedia Platform\
        5⤵
        
        PID:1440
    - - C:\Program Files (x86)\Windows NT\backup.exe
        
        "C:\Program Files (x86)\Windows NT\backup.exe" C:\Program Files (x86)\Windows NT\
        5⤵
        
        PID:3676
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      PID:4444
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3252
      - C:\Users\Admin\3D Objects\System Restore.exe
        
        "C:\Users\Admin\3D Objects\System Restore.exe" C:\Users\Admin\3D Objects\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4396
      - C:\Users\Admin\Desktop\System Restore.exe
        
        "C:\Users\Admin\Desktop\System Restore.exe" C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:4580
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:3448
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:3408
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:3824
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:3508
      - C:\Users\Admin\Music\data.exe
        
        C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:4964
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:956
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:4212
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2212
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1964
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        7⤵
        
        PID:4492
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        System policy modification
        
        PID:4548
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:2572
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:4404
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2236
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        Disables RegEdit via registry modification
        
        PID:8
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:3600
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:1448
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4704
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:4620
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:3772
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:1104
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:2928
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:3068
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:3952
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:4828
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:4160
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:1372
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:2224
      - C:\Windows\apppatch\en-US\data.exe
        
        C:\Windows\apppatch\en-US\data.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:3532
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:3392
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:364
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:3684
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:4540
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4288
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        
        PID:3764
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1232
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        Drops file in Windows directory
        
        PID:3788
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1056
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        Drops file in Windows directory
        
        PID:3708
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:4068
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4376
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2116
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:2456
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:3920
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:2516
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:1144
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3328
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4968
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:308
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2304
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1964
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2080
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4080
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        
        PID:3448
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        7⤵
        
        PID:4216
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4712
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:3252
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:744
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        Drops file in Windows directory
        
        PID:4936
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1200
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:4844
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        Drops file in Windows directory
        
        PID:920
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4100
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\data.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\data.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:2316
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\
        7⤵
        
        PID:1668
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        Drops file in Windows directory
        
        PID:1964
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:2056
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\
        7⤵
        
        PID:4332
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        Drops file in Windows directory
        
        PID:628
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\
        7⤵
        
        PID:3596
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:3468
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:3824
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Drops file in Windows directory
        
        PID:1888
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        
        PID:2764
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:684
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        System policy modification
        
        PID:4448
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        
        PID:1508
      - C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        6⤵
        
        PID:1476
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4772
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:3116
    - - C:\Windows\DiagTrack\backup.exe
        
        C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\
        5⤵
        Drops file in Windows directory
        
        PID:1788
      - C:\Windows\DiagTrack\Settings\backup.exe
        
        C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\
        6⤵
        
        PID:1816
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2960
      - C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:4688
    - - C:\Windows\Fonts\backup.exe
        
        C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
        5⤵
        
        PID:2136
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4452
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2040

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
1⤵
PID:4696

C:\Windows\DiagTrack\Scenarios\backup.exe
C:\Windows\DiagTrack\Scenarios\backup.exe C:\Windows\DiagTrack\Scenarios\
1⤵
PID:3472

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\GAC_MSIL\
1⤵
- System policy modification
PID:2060

C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
1⤵
PID:664

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E072BA14-90AE-4ACC-B895-7EFF8F4C5727\root\vfs\Windows\assembly\
1⤵
- System policy modification
PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b4276d40fbfeb938d51cfa6a27f60dfa

SHA1
fb5bf1a9d04aa1d1c831ef2ad17e71f3bc4b4556

SHA256
7e1b4fe223b170eac70f99ddc1687d317d0f4fe01e473ac8fefe3ea75916a52c

SHA512
4d9ab822f7a49fbc3802fb52b492cb3ffc9da73752dc4aa51dbe64c48117c2fec1a19cc5833a1a42bc7d29a1d82366f25c52847ffbf0d84330ab2dbdbc09eb39

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
b4276d40fbfeb938d51cfa6a27f60dfa

SHA1
fb5bf1a9d04aa1d1c831ef2ad17e71f3bc4b4556

SHA256
7e1b4fe223b170eac70f99ddc1687d317d0f4fe01e473ac8fefe3ea75916a52c

SHA512
4d9ab822f7a49fbc3802fb52b492cb3ffc9da73752dc4aa51dbe64c48117c2fec1a19cc5833a1a42bc7d29a1d82366f25c52847ffbf0d84330ab2dbdbc09eb39

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
489f74b7a415f1d4ae16cc4f16a511f5

SHA1
f87a069db5086386a6ed2ba24b3c4246cbaf0232

SHA256
9806b77f9a1e3ef177fba75e017303b6c6061a77c127d0f7ea9e784402e05cc4

SHA512
86190f41fe41685268448423979a6283d991c40b5a7e4debe91540abc6e8c323f7141d17a0af377285903e659e7b946e5bcceb18addd7f90929fd87e5171732a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe

Filesize
72KB

MD5
489f74b7a415f1d4ae16cc4f16a511f5

SHA1
f87a069db5086386a6ed2ba24b3c4246cbaf0232

SHA256
9806b77f9a1e3ef177fba75e017303b6c6061a77c127d0f7ea9e784402e05cc4

SHA512
86190f41fe41685268448423979a6283d991c40b5a7e4debe91540abc6e8c323f7141d17a0af377285903e659e7b946e5bcceb18addd7f90929fd87e5171732a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
7aff64be4a13d004bf8ac30259b70b5d

SHA1
d57e0572d4b20529ad11789c31ce0b52987b962f

SHA256
de50c67913b4b0e3aa179e8c23ff5fa30f2a7e83aab53971b3a7868a52c00343

SHA512
2f2581e67e303fbcf97c2e0fae1e0a864d93b73602b0c7d9ed5c38c5b7f580fab584bbe57e535650f7365762f0f7573bd455b94db0f670d2dc408dcb3e3e3639

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe

Filesize
72KB

MD5
7aff64be4a13d004bf8ac30259b70b5d

SHA1
d57e0572d4b20529ad11789c31ce0b52987b962f

SHA256
de50c67913b4b0e3aa179e8c23ff5fa30f2a7e83aab53971b3a7868a52c00343

SHA512
2f2581e67e303fbcf97c2e0fae1e0a864d93b73602b0c7d9ed5c38c5b7f580fab584bbe57e535650f7365762f0f7573bd455b94db0f670d2dc408dcb3e3e3639

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
3d07cabd733a6ff14dfb0b1e91f452db

SHA1
4925484bb1d2c2d1cd6d53882193a09841612fa8

SHA256
240c77ac4b9d250961914308cfc7e6e05300146e9355510dad9e6373055dc46d

SHA512
990c08e6ae62ec6b436d86c355ca89cd68c2ad27041c155f75711e407b0f5eade8dde8b76b14973b9047cf2e16fe75a2820087ec66d5b1fd6dba1577aeff6476

Download Submit
C:\Program Files (x86)\Adobe\backup.exe

Filesize
72KB

MD5
3d07cabd733a6ff14dfb0b1e91f452db

SHA1
4925484bb1d2c2d1cd6d53882193a09841612fa8

SHA256
240c77ac4b9d250961914308cfc7e6e05300146e9355510dad9e6373055dc46d

SHA512
990c08e6ae62ec6b436d86c355ca89cd68c2ad27041c155f75711e407b0f5eade8dde8b76b14973b9047cf2e16fe75a2820087ec66d5b1fd6dba1577aeff6476

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
07e9a88e86dc61f43eb4a1afed303f13

SHA1
4f49cec558ee3abb8352a83edee33c8c1b08dc55

SHA256
4ff8cc6ad8703964455b8932df84ac2e70c195615e13cc4c041cb52876aaf12e

SHA512
bcd1194b47af47e059bd516a3e296866134e7756f11d4d2ad4c421c64b2dbd1c35f5fe5f1d8d8ba3cce743aced1f7976f755582f24fcb0d1b97cd51457069635

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
72KB

MD5
07e9a88e86dc61f43eb4a1afed303f13

SHA1
4f49cec558ee3abb8352a83edee33c8c1b08dc55

SHA256
4ff8cc6ad8703964455b8932df84ac2e70c195615e13cc4c041cb52876aaf12e

SHA512
bcd1194b47af47e059bd516a3e296866134e7756f11d4d2ad4c421c64b2dbd1c35f5fe5f1d8d8ba3cce743aced1f7976f755582f24fcb0d1b97cd51457069635

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f33b2a56c2f71f0eb97f2a4e0cc3b288

SHA1
a72aceae7d5fb7f5a2181c5b8357f9241a3bc101

SHA256
43033ed785b8d47f533cbd0783d9628f2172ea3246637c76834502e4acc16729

SHA512
68a7055da6daa54ba1cd5607e9fa8dcc30c9364438e888c19c2790b0cc6994ecdb647897de90412237c68cfb4137a61bf178e3bc809963cb7a8badf45cd4a4b4

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f33b2a56c2f71f0eb97f2a4e0cc3b288

SHA1
a72aceae7d5fb7f5a2181c5b8357f9241a3bc101

SHA256
43033ed785b8d47f533cbd0783d9628f2172ea3246637c76834502e4acc16729

SHA512
68a7055da6daa54ba1cd5607e9fa8dcc30c9364438e888c19c2790b0cc6994ecdb647897de90412237c68cfb4137a61bf178e3bc809963cb7a8badf45cd4a4b4

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2e9e96663b0fe2032687b8387a37e7b1

SHA1
3d3dc4fc5f30b4e0633ad037ffea0b86264cdbcc

SHA256
acf58796bc7c13b698805fa61aba2c2274a68b2bd0cba563ae83158bf56fbfd1

SHA512
9d6a6beb0c236dadaefaa9892381bc98d1027b0eabfde333862980d930c0fc9be0b43b026123656e01ff4c49f9507cf53096a69ae1c9d32813b9798f8241a41b

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
2e9e96663b0fe2032687b8387a37e7b1

SHA1
3d3dc4fc5f30b4e0633ad037ffea0b86264cdbcc

SHA256
acf58796bc7c13b698805fa61aba2c2274a68b2bd0cba563ae83158bf56fbfd1

SHA512
9d6a6beb0c236dadaefaa9892381bc98d1027b0eabfde333862980d930c0fc9be0b43b026123656e01ff4c49f9507cf53096a69ae1c9d32813b9798f8241a41b

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
adf09452c179b6c553f932433e995889

SHA1
77e7fa4d41c9962e3756951a8db301626fa1f92c

SHA256
d2b7891aadd857b27ae05cbbf2d60729f3c5a0d05048ece35d3cd868627e90af

SHA512
15884e90cb5c37d790d1adaec968e54ac036f063cdc45a7f99edd512e36bbf4461dc19ef628f827df7280e82df56033c1810632e651f3afbe80ae868ae6943de

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
adf09452c179b6c553f932433e995889

SHA1
77e7fa4d41c9962e3756951a8db301626fa1f92c

SHA256
d2b7891aadd857b27ae05cbbf2d60729f3c5a0d05048ece35d3cd868627e90af

SHA512
15884e90cb5c37d790d1adaec968e54ac036f063cdc45a7f99edd512e36bbf4461dc19ef628f827df7280e82df56033c1810632e651f3afbe80ae868ae6943de

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
d914cb6a368c9f35e797b47609ab921f

SHA1
91720941af24698819f7e9373af479780eb19991

SHA256
f9d7009bb9262987c71fbbb389b94dd0eb0edeeb0e6d04a671e4014ce1e01950

SHA512
b835e8d31ae21e966a362d95f2273838a462b6cac0d8c23f747f37ff7972e787c9d1f0e6f99abcf998f7ea9dff65a7509656afc72fa3b30e1db36937440b1f5e

Download Submit
C:\Program Files\Common Files\Services\backup.exe

Filesize
72KB

MD5
d914cb6a368c9f35e797b47609ab921f

SHA1
91720941af24698819f7e9373af479780eb19991

SHA256
f9d7009bb9262987c71fbbb389b94dd0eb0edeeb0e6d04a671e4014ce1e01950

SHA512
b835e8d31ae21e966a362d95f2273838a462b6cac0d8c23f747f37ff7972e787c9d1f0e6f99abcf998f7ea9dff65a7509656afc72fa3b30e1db36937440b1f5e

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
d914cb6a368c9f35e797b47609ab921f

SHA1
91720941af24698819f7e9373af479780eb19991

SHA256
f9d7009bb9262987c71fbbb389b94dd0eb0edeeb0e6d04a671e4014ce1e01950

SHA512
b835e8d31ae21e966a362d95f2273838a462b6cac0d8c23f747f37ff7972e787c9d1f0e6f99abcf998f7ea9dff65a7509656afc72fa3b30e1db36937440b1f5e

Download Submit
C:\Program Files\Common Files\System\backup.exe

Filesize
72KB

MD5
d914cb6a368c9f35e797b47609ab921f

SHA1
91720941af24698819f7e9373af479780eb19991

SHA256
f9d7009bb9262987c71fbbb389b94dd0eb0edeeb0e6d04a671e4014ce1e01950

SHA512
b835e8d31ae21e966a362d95f2273838a462b6cac0d8c23f747f37ff7972e787c9d1f0e6f99abcf998f7ea9dff65a7509656afc72fa3b30e1db36937440b1f5e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8080153bf60dc9f371c6a3583080dafa

SHA1
bf9fba000a2390c9f2b47b6fd36322a2cb06f978

SHA256
a118358983f6c25166ad153739b10070a40ec96255c56b40afddf5a6da63460e

SHA512
0a0d2068c331aec0b595f4c2c588f6d7cbc720dfe620a6cfedd7776f8ea4dfa5a45246a093e61ec0c2f899c775310345cd69d3f92a57da1073e078893ef931a2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
8080153bf60dc9f371c6a3583080dafa

SHA1
bf9fba000a2390c9f2b47b6fd36322a2cb06f978

SHA256
a118358983f6c25166ad153739b10070a40ec96255c56b40afddf5a6da63460e

SHA512
0a0d2068c331aec0b595f4c2c588f6d7cbc720dfe620a6cfedd7776f8ea4dfa5a45246a093e61ec0c2f899c775310345cd69d3f92a57da1073e078893ef931a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
f211e5a9aa15f069b02f607e45be64ff

SHA1
81e60b71d536722dc7775d24544f920fd09c7f35

SHA256
146d074ee61e41ae04770343ac4bf7cbb7946827e4697611f14d760042e6104b

SHA512
503425a5a5a599d852b6f7f26c9c23eb150386cdb8caa48f019df96d6968c10e7a845d33bc4232c7e7fdd2c9d433785521bd5cd63f8d578244ba0078dcb46d67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
f211e5a9aa15f069b02f607e45be64ff

SHA1
81e60b71d536722dc7775d24544f920fd09c7f35

SHA256
146d074ee61e41ae04770343ac4bf7cbb7946827e4697611f14d760042e6104b

SHA512
503425a5a5a599d852b6f7f26c9c23eb150386cdb8caa48f019df96d6968c10e7a845d33bc4232c7e7fdd2c9d433785521bd5cd63f8d578244ba0078dcb46d67

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
adf09452c179b6c553f932433e995889

SHA1
77e7fa4d41c9962e3756951a8db301626fa1f92c

SHA256
d2b7891aadd857b27ae05cbbf2d60729f3c5a0d05048ece35d3cd868627e90af

SHA512
15884e90cb5c37d790d1adaec968e54ac036f063cdc45a7f99edd512e36bbf4461dc19ef628f827df7280e82df56033c1810632e651f3afbe80ae868ae6943de

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
adf09452c179b6c553f932433e995889

SHA1
77e7fa4d41c9962e3756951a8db301626fa1f92c

SHA256
d2b7891aadd857b27ae05cbbf2d60729f3c5a0d05048ece35d3cd868627e90af

SHA512
15884e90cb5c37d790d1adaec968e54ac036f063cdc45a7f99edd512e36bbf4461dc19ef628f827df7280e82df56033c1810632e651f3afbe80ae868ae6943de

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
1cc07872ae0344a5783e85fd7ef57a5d

SHA1
648124247afc6e763b1d366871195bcbc90d87a1

SHA256
0f7ae80c3882faffe772664ef613235902bb6e147514275e884f0370fa4119cd

SHA512
03ebff19c5c55e910b43a461186453b07e40eb7e42d3c76b13a9f9746c6be1a3c3e8a0cc3dec0d48c2ec6c7b20e4fd1108dc3fe677bb12cbf8bc2f12e8410054

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
1cc07872ae0344a5783e85fd7ef57a5d

SHA1
648124247afc6e763b1d366871195bcbc90d87a1

SHA256
0f7ae80c3882faffe772664ef613235902bb6e147514275e884f0370fa4119cd

SHA512
03ebff19c5c55e910b43a461186453b07e40eb7e42d3c76b13a9f9746c6be1a3c3e8a0cc3dec0d48c2ec6c7b20e4fd1108dc3fe677bb12cbf8bc2f12e8410054

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
1cc07872ae0344a5783e85fd7ef57a5d

SHA1
648124247afc6e763b1d366871195bcbc90d87a1

SHA256
0f7ae80c3882faffe772664ef613235902bb6e147514275e884f0370fa4119cd

SHA512
03ebff19c5c55e910b43a461186453b07e40eb7e42d3c76b13a9f9746c6be1a3c3e8a0cc3dec0d48c2ec6c7b20e4fd1108dc3fe677bb12cbf8bc2f12e8410054

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
1cc07872ae0344a5783e85fd7ef57a5d

SHA1
648124247afc6e763b1d366871195bcbc90d87a1

SHA256
0f7ae80c3882faffe772664ef613235902bb6e147514275e884f0370fa4119cd

SHA512
03ebff19c5c55e910b43a461186453b07e40eb7e42d3c76b13a9f9746c6be1a3c3e8a0cc3dec0d48c2ec6c7b20e4fd1108dc3fe677bb12cbf8bc2f12e8410054

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
a3602f62d838f23a98869adf9c79437c

SHA1
83ca6f690d927a1dedcf6fe699da6c070f2bb051

SHA256
4f381ac26cc449bf3ae4409e57d8539b0b1d5f996ce4f90925caaec56dc1fd8d

SHA512
1d78279527e545f110de4fc544f858f96eacb14170c814d051ab858079a2bc19710ff3c4cde848b29c22cebb478dd9e3f350172a7a11a5dae1a61ade4ce0057d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
a3602f62d838f23a98869adf9c79437c

SHA1
83ca6f690d927a1dedcf6fe699da6c070f2bb051

SHA256
4f381ac26cc449bf3ae4409e57d8539b0b1d5f996ce4f90925caaec56dc1fd8d

SHA512
1d78279527e545f110de4fc544f858f96eacb14170c814d051ab858079a2bc19710ff3c4cde848b29c22cebb478dd9e3f350172a7a11a5dae1a61ade4ce0057d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
88de0a3a19251d00661ad255e4c187a3

SHA1
95c9b81bebf921206eee8e0cf67bfedb81488452

SHA256
1fa922273dcc5879b27efd5979e408599852433df710096dc67b775c8c4e500d

SHA512
0eaff3aaf7234cdbd49a05fb14ac48679e4fa4f46dcc84c4604b6109d25fd32318c2c65df5e07c52019fc456290bcaeba6ee818059402b80f9702367b1e9fbb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
88de0a3a19251d00661ad255e4c187a3

SHA1
95c9b81bebf921206eee8e0cf67bfedb81488452

SHA256
1fa922273dcc5879b27efd5979e408599852433df710096dc67b775c8c4e500d

SHA512
0eaff3aaf7234cdbd49a05fb14ac48679e4fa4f46dcc84c4604b6109d25fd32318c2c65df5e07c52019fc456290bcaeba6ee818059402b80f9702367b1e9fbb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\data.exe

Filesize
72KB

MD5
d0476bc453962b874f99fcfd506ff60e

SHA1
c86706ad92b117cf28302fafda6931e0b7e3c9b6

SHA256
312e008df3c482e1989f59e1993dd76ce92bc4559aafc93f44e69ae725880ce8

SHA512
bb3b8bb1ce6efd4c86137668b9193cb471962979de9da51ba3126f7c14dcb930ecb81e6a434aaf6c22902a72b72aa2d122efcbf2c4ee56afe774afc618b05a64

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\data.exe

Filesize
72KB

MD5
d0476bc453962b874f99fcfd506ff60e

SHA1
c86706ad92b117cf28302fafda6931e0b7e3c9b6

SHA256
312e008df3c482e1989f59e1993dd76ce92bc4559aafc93f44e69ae725880ce8

SHA512
bb3b8bb1ce6efd4c86137668b9193cb471962979de9da51ba3126f7c14dcb930ecb81e6a434aaf6c22902a72b72aa2d122efcbf2c4ee56afe774afc618b05a64

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\update.exe

Filesize
72KB

MD5
88de0a3a19251d00661ad255e4c187a3

SHA1
95c9b81bebf921206eee8e0cf67bfedb81488452

SHA256
1fa922273dcc5879b27efd5979e408599852433df710096dc67b775c8c4e500d

SHA512
0eaff3aaf7234cdbd49a05fb14ac48679e4fa4f46dcc84c4604b6109d25fd32318c2c65df5e07c52019fc456290bcaeba6ee818059402b80f9702367b1e9fbb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\update.exe

Filesize
72KB

MD5
88de0a3a19251d00661ad255e4c187a3

SHA1
95c9b81bebf921206eee8e0cf67bfedb81488452

SHA256
1fa922273dcc5879b27efd5979e408599852433df710096dc67b775c8c4e500d

SHA512
0eaff3aaf7234cdbd49a05fb14ac48679e4fa4f46dcc84c4604b6109d25fd32318c2c65df5e07c52019fc456290bcaeba6ee818059402b80f9702367b1e9fbb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
ba13cfb4fca74eb9014ed14f5f3495b6

SHA1
a73e5e348f59c5f2850de5998252b9facbecded2

SHA256
22bb4576d246161bc6e3f87dc12850130c6d368451bdc6b7cac6896c25c1a483

SHA512
54a89f5351b59a11f86e444afab0ca69b9b4c06c709bcf48139040e5b5ed288d7323b0ccda331352019e569162ef3b94cbbf7fdbad8dc9bbcd1c00d9b2f80ff6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
ba13cfb4fca74eb9014ed14f5f3495b6

SHA1
a73e5e348f59c5f2850de5998252b9facbecded2

SHA256
22bb4576d246161bc6e3f87dc12850130c6d368451bdc6b7cac6896c25c1a483

SHA512
54a89f5351b59a11f86e444afab0ca69b9b4c06c709bcf48139040e5b5ed288d7323b0ccda331352019e569162ef3b94cbbf7fdbad8dc9bbcd1c00d9b2f80ff6

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
3550c4aca78d15824c4a33dfe709cefc

SHA1
c3807039fa32745c6ab3948ba7d30fc22d5c8a36

SHA256
7727244cfa496b10517edd3299eb66f1f908e839420852a3f853ee7db80e3ad1

SHA512
47fde9a6b636eaebd2e75076cb6dd34692a45f5926c25637059f3b66cd6ed9eeba4261d345575f19700f6e2a320931cc994b43412b5519c80c490dcf1b5b5d11

Download Submit
C:\Program Files\Google\Chrome\backup.exe

Filesize
72KB

MD5
3550c4aca78d15824c4a33dfe709cefc

SHA1
c3807039fa32745c6ab3948ba7d30fc22d5c8a36

SHA256
7727244cfa496b10517edd3299eb66f1f908e839420852a3f853ee7db80e3ad1

SHA512
47fde9a6b636eaebd2e75076cb6dd34692a45f5926c25637059f3b66cd6ed9eeba4261d345575f19700f6e2a320931cc994b43412b5519c80c490dcf1b5b5d11

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
6d68c350c9dd9d2050d6a6e2e8914736

SHA1
027bc69fafb05034e3ecf7cd02aa3cdd697bcb70

SHA256
c61b1ce9167e14fefa31ebe909e13c3f87c14473c5083b3f03da4af696b1859f

SHA512
1441e0e648d5a76e6fcaf4b83593ee8711c24bb785c2c8a67b83a71a484a5418cc52fa0343e8a758044d2212405c654e76df4b8e1203c337f05728167ad69dbb

Download Submit
C:\Program Files\Google\backup.exe

Filesize
72KB

MD5
6d68c350c9dd9d2050d6a6e2e8914736

SHA1
027bc69fafb05034e3ecf7cd02aa3cdd697bcb70

SHA256
c61b1ce9167e14fefa31ebe909e13c3f87c14473c5083b3f03da4af696b1859f

SHA512
1441e0e648d5a76e6fcaf4b83593ee8711c24bb785c2c8a67b83a71a484a5418cc52fa0343e8a758044d2212405c654e76df4b8e1203c337f05728167ad69dbb

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b4276d40fbfeb938d51cfa6a27f60dfa

SHA1
fb5bf1a9d04aa1d1c831ef2ad17e71f3bc4b4556

SHA256
7e1b4fe223b170eac70f99ddc1687d317d0f4fe01e473ac8fefe3ea75916a52c

SHA512
4d9ab822f7a49fbc3802fb52b492cb3ffc9da73752dc4aa51dbe64c48117c2fec1a19cc5833a1a42bc7d29a1d82366f25c52847ffbf0d84330ab2dbdbc09eb39

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
b4276d40fbfeb938d51cfa6a27f60dfa

SHA1
fb5bf1a9d04aa1d1c831ef2ad17e71f3bc4b4556

SHA256
7e1b4fe223b170eac70f99ddc1687d317d0f4fe01e473ac8fefe3ea75916a52c

SHA512
4d9ab822f7a49fbc3802fb52b492cb3ffc9da73752dc4aa51dbe64c48117c2fec1a19cc5833a1a42bc7d29a1d82366f25c52847ffbf0d84330ab2dbdbc09eb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\2353693535\backup.exe

Filesize
72KB

MD5
1dbd8a160dacff872e976545c99e2037

SHA1
1c7bed08f0c894b6cbc7f2db8368a0b3e19af08f

SHA256
243921894e14ec30dea5232af2003065e0317d37db05bdc28dfb6222b4d5d181

SHA512
8286967b710406e21404883687e40c559505167822855c4a167b231e0bf9e4d0c154d3a208f9428f21e97c1e15dd1fd6b1abcb9ed7a1818238ce27afc91d2f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\2353693535\backup.exe

Filesize
72KB

MD5
1dbd8a160dacff872e976545c99e2037

SHA1
1c7bed08f0c894b6cbc7f2db8368a0b3e19af08f

SHA256
243921894e14ec30dea5232af2003065e0317d37db05bdc28dfb6222b4d5d181

SHA512
8286967b710406e21404883687e40c559505167822855c4a167b231e0bf9e4d0c154d3a208f9428f21e97c1e15dd1fd6b1abcb9ed7a1818238ce27afc91d2f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f836028b2a91139575f64e6d9070b182

SHA1
0c23e2f2f163862904d64f61c3ce8a3c8ca518be

SHA256
aa4bd81e1835006a9d4999d9cba7eb52e84415cd58220f589b1eaed2e6aeb464

SHA512
7cbd3a1c9a00f2a85279e26adb76c06ae7f4e99e95457c806fde1c42eaa342e48886b62b03c570dd3e0aad89ab03ac30f253548be2fa209d42d77b653be19352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f836028b2a91139575f64e6d9070b182

SHA1
0c23e2f2f163862904d64f61c3ce8a3c8ca518be

SHA256
aa4bd81e1835006a9d4999d9cba7eb52e84415cd58220f589b1eaed2e6aeb464

SHA512
7cbd3a1c9a00f2a85279e26adb76c06ae7f4e99e95457c806fde1c42eaa342e48886b62b03c570dd3e0aad89ab03ac30f253548be2fa209d42d77b653be19352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1036dd501ce3310bd698d1766f65ac9f

SHA1
891ee6adcc5a693d2f5d50e756706e47bb0afe2f

SHA256
cd9bc74c471f108821add2ebd6ece2cc840f8ccd59ed596aa84b8745093df984

SHA512
da7cd67a5095b4212b47975114eed6081868d2bb77227b1570f9b1b7ea6cb506f982948375799612bbb4ad8effc1daba1501e674a5f322469176d73f19aea6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
1036dd501ce3310bd698d1766f65ac9f

SHA1
891ee6adcc5a693d2f5d50e756706e47bb0afe2f

SHA256
cd9bc74c471f108821add2ebd6ece2cc840f8ccd59ed596aa84b8745093df984

SHA512
da7cd67a5095b4212b47975114eed6081868d2bb77227b1570f9b1b7ea6cb506f982948375799612bbb4ad8effc1daba1501e674a5f322469176d73f19aea6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
3c4da78f4a6162b987ab3b8f67a57796

SHA1
c3b5f1212de35cae28e008de71de3e1b6f8d27a3

SHA256
a8cfdbedfd0be76d4765d83cc31291aaf30c9b3f14a15341c36717b94ee0cf81

SHA512
58a60601f6f4b482c1ef1ca0699c42f363fe55761c40095ebfa58b3eb5043c95563ca173f3764853461fcd890f1eef0ff0f480f329d65a26483588375cecd606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
3c4da78f4a6162b987ab3b8f67a57796

SHA1
c3b5f1212de35cae28e008de71de3e1b6f8d27a3

SHA256
a8cfdbedfd0be76d4765d83cc31291aaf30c9b3f14a15341c36717b94ee0cf81

SHA512
58a60601f6f4b482c1ef1ca0699c42f363fe55761c40095ebfa58b3eb5043c95563ca173f3764853461fcd890f1eef0ff0f480f329d65a26483588375cecd606

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
1dbd8a160dacff872e976545c99e2037

SHA1
1c7bed08f0c894b6cbc7f2db8368a0b3e19af08f

SHA256
243921894e14ec30dea5232af2003065e0317d37db05bdc28dfb6222b4d5d181

SHA512
8286967b710406e21404883687e40c559505167822855c4a167b231e0bf9e4d0c154d3a208f9428f21e97c1e15dd1fd6b1abcb9ed7a1818238ce27afc91d2f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
1dbd8a160dacff872e976545c99e2037

SHA1
1c7bed08f0c894b6cbc7f2db8368a0b3e19af08f

SHA256
243921894e14ec30dea5232af2003065e0317d37db05bdc28dfb6222b4d5d181

SHA512
8286967b710406e21404883687e40c559505167822855c4a167b231e0bf9e4d0c154d3a208f9428f21e97c1e15dd1fd6b1abcb9ed7a1818238ce27afc91d2f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
1dbd8a160dacff872e976545c99e2037

SHA1
1c7bed08f0c894b6cbc7f2db8368a0b3e19af08f

SHA256
243921894e14ec30dea5232af2003065e0317d37db05bdc28dfb6222b4d5d181

SHA512
8286967b710406e21404883687e40c559505167822855c4a167b231e0bf9e4d0c154d3a208f9428f21e97c1e15dd1fd6b1abcb9ed7a1818238ce27afc91d2f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
1dbd8a160dacff872e976545c99e2037

SHA1
1c7bed08f0c894b6cbc7f2db8368a0b3e19af08f

SHA256
243921894e14ec30dea5232af2003065e0317d37db05bdc28dfb6222b4d5d181

SHA512
8286967b710406e21404883687e40c559505167822855c4a167b231e0bf9e4d0c154d3a208f9428f21e97c1e15dd1fd6b1abcb9ed7a1818238ce27afc91d2f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
3c4da78f4a6162b987ab3b8f67a57796

SHA1
c3b5f1212de35cae28e008de71de3e1b6f8d27a3

SHA256
a8cfdbedfd0be76d4765d83cc31291aaf30c9b3f14a15341c36717b94ee0cf81

SHA512
58a60601f6f4b482c1ef1ca0699c42f363fe55761c40095ebfa58b3eb5043c95563ca173f3764853461fcd890f1eef0ff0f480f329d65a26483588375cecd606

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
3c4da78f4a6162b987ab3b8f67a57796

SHA1
c3b5f1212de35cae28e008de71de3e1b6f8d27a3

SHA256
a8cfdbedfd0be76d4765d83cc31291aaf30c9b3f14a15341c36717b94ee0cf81

SHA512
58a60601f6f4b482c1ef1ca0699c42f363fe55761c40095ebfa58b3eb5043c95563ca173f3764853461fcd890f1eef0ff0f480f329d65a26483588375cecd606

Download Submit
C:\backup.exe

Filesize
72KB

MD5
2c3d189923ccac827f53ba6263386b1e

SHA1
1508a466b64cb58f5d73cbb789cfb057499c635b

SHA256
b27a38fc14fc9d8c231e7bf293788f605dad1099ac40cea354533d44aad2a33f

SHA512
cb08272962b8418b72a9887678b023b027f57ceded5e47ccba2e4b0b76d900f45ce48e5e5de006fd423a19f9ed553aa656ca14d40f072a900db1d22b48c5027d

Download Submit
C:\backup.exe

Filesize
72KB

MD5
2c3d189923ccac827f53ba6263386b1e

SHA1
1508a466b64cb58f5d73cbb789cfb057499c635b

SHA256
b27a38fc14fc9d8c231e7bf293788f605dad1099ac40cea354533d44aad2a33f

SHA512
cb08272962b8418b72a9887678b023b027f57ceded5e47ccba2e4b0b76d900f45ce48e5e5de006fd423a19f9ed553aa656ca14d40f072a900db1d22b48c5027d

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
408b95d724d9c5fa49f040bd2e646f1a

SHA1
3a2da8f2c1ffdfe3bf810f30469b0df4044468f8

SHA256
ca48a83d66caca07ed592b1ae5a55cf16e798c891417224335f64ece17b00669

SHA512
f526ce90afe6d73372e3296d9ebb0207c86887ef18be16c3cca6fa001cb2219afe6903db47993d6174eea2afb0f3a29e411608892cf15d78864fcc49a11ee588

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
408b95d724d9c5fa49f040bd2e646f1a

SHA1
3a2da8f2c1ffdfe3bf810f30469b0df4044468f8

SHA256
ca48a83d66caca07ed592b1ae5a55cf16e798c891417224335f64ece17b00669

SHA512
f526ce90afe6d73372e3296d9ebb0207c86887ef18be16c3cca6fa001cb2219afe6903db47993d6174eea2afb0f3a29e411608892cf15d78864fcc49a11ee588

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads