d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d

Analysis

max time kernel
189s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe
Size

72KB
MD5

393b414c7abc43f449e3514e1d3f7ff0
SHA1

6b837bedc7d9f73b039f6503ccc19fd39e933813
SHA256

d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d
SHA512

440429301cfd9cc96abad6b52cbd166a8c9b1ebc5f86f3e17e9886db139db4f41b23220173b2d70a1feab336750d0a4d835591f3b8bde3c814097aab2060c774
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2l:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrJ

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
5076	backup.exe
3572	backup.exe
2396	data.exe
4940	backup.exe
4132	backup.exe
4164	backup.exe
2844	backup.exe
1828	update.exe
3692	backup.exe
5016	backup.exe
32	backup.exe
2260	backup.exe
3296	backup.exe
2760	backup.exe
3792	backup.exe
5100	System Restore.exe
4900	backup.exe
3196	backup.exe
992	backup.exe
4316	backup.exe
4476	backup.exe
3452	backup.exe
1184	backup.exe
4372	backup.exe
3056	backup.exe
1328	backup.exe
3036	backup.exe
3016	backup.exe
3800	backup.exe
5044	data.exe
1288	backup.exe
2624	backup.exe
1860	backup.exe
4924	backup.exe
3488	backup.exe
652	backup.exe
4524	System Restore.exe
4992	backup.exe
1316	backup.exe
4808	backup.exe
2380	backup.exe
3988	backup.exe
1232	backup.exe
1076	backup.exe
2124	backup.exe
3976	backup.exe
2836	update.exe
1876	data.exe
2824	backup.exe
3780	backup.exe
860	backup.exe
4784	backup.exe
1240	backup.exe
1892	backup.exe
4076	backup.exe
4812	backup.exe
4016	backup.exe
5056	backup.exe
1680	backup.exe
4212	update.exe
4628	update.exe
3448	backup.exe
4164	backup.exe
2032	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	update.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	update.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe	backup.exe

Drops file in Windows directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\System Restore.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\data.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\shellbrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\data.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\data.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\diagnostics\backup.exe	backup.exe
File opened for modification	C:\Windows\DiagTrack\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\serviced\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\update.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\debug\System Restore.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe
5076	backup.exe
3572	backup.exe
2396	data.exe
4940	backup.exe
4132	backup.exe
4164	backup.exe
2844	backup.exe
1828	update.exe
3692	backup.exe
5016	backup.exe
32	backup.exe
2260	backup.exe
3296	backup.exe
2760	backup.exe
3792	backup.exe
5100	System Restore.exe
4900	backup.exe
3196	backup.exe
992	backup.exe
4316	backup.exe
4476	backup.exe
3452	backup.exe
1184	backup.exe
4372	backup.exe
3056	backup.exe
1328	backup.exe
3036	backup.exe
3016	backup.exe
3800	backup.exe
5044	data.exe
1288	backup.exe
2624	backup.exe
1860	backup.exe
4924	backup.exe
3488	backup.exe
652	backup.exe
4524	System Restore.exe
4992	backup.exe
1316	backup.exe
4808	backup.exe
2380	backup.exe
3988	backup.exe
1232	backup.exe
1076	backup.exe
2124	backup.exe
3976	backup.exe
1876	data.exe
2824	backup.exe
3780	backup.exe
2836	update.exe
860	backup.exe
4784	backup.exe
1892	backup.exe
1240	backup.exe
4076	backup.exe
4812	backup.exe
5056	backup.exe
4016	backup.exe
4212	update.exe
1680	backup.exe
4628	update.exe
3448	backup.exe
2032	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 5076	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	79
PID 2320 wrote to memory of 5076	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	79
PID 2320 wrote to memory of 5076	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	79
PID 2320 wrote to memory of 3572	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	80
PID 2320 wrote to memory of 3572	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	80
PID 2320 wrote to memory of 3572	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	80
PID 2320 wrote to memory of 2396	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	81
PID 2320 wrote to memory of 2396	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	81
PID 2320 wrote to memory of 2396	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	81
PID 2320 wrote to memory of 4940	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	82
PID 2320 wrote to memory of 4940	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	82
PID 2320 wrote to memory of 4940	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	82
PID 2320 wrote to memory of 4132	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	83
PID 2320 wrote to memory of 4132	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	83
PID 2320 wrote to memory of 4132	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	83
PID 2320 wrote to memory of 4164	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	84
PID 2320 wrote to memory of 4164	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	84
PID 2320 wrote to memory of 4164	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	84
PID 2320 wrote to memory of 2844	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	85
PID 2320 wrote to memory of 2844	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	85
PID 2320 wrote to memory of 2844	2320	d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe	85
PID 5076 wrote to memory of 1828	5076	backup.exe	86
PID 5076 wrote to memory of 1828	5076	backup.exe	86
PID 5076 wrote to memory of 1828	5076	backup.exe	86
PID 1828 wrote to memory of 3692	1828	update.exe	87
PID 1828 wrote to memory of 3692	1828	update.exe	87
PID 1828 wrote to memory of 3692	1828	update.exe	87
PID 1828 wrote to memory of 5016	1828	update.exe	88
PID 1828 wrote to memory of 5016	1828	update.exe	88
PID 1828 wrote to memory of 5016	1828	update.exe	88
PID 1828 wrote to memory of 32	1828	update.exe	89
PID 1828 wrote to memory of 32	1828	update.exe	89
PID 1828 wrote to memory of 32	1828	update.exe	89
PID 32 wrote to memory of 2260	32	backup.exe	90
PID 32 wrote to memory of 2260	32	backup.exe	90
PID 32 wrote to memory of 2260	32	backup.exe	90
PID 2260 wrote to memory of 3296	2260	backup.exe	91
PID 2260 wrote to memory of 3296	2260	backup.exe	91
PID 2260 wrote to memory of 3296	2260	backup.exe	91
PID 32 wrote to memory of 2760	32	backup.exe	92
PID 32 wrote to memory of 2760	32	backup.exe	92
PID 32 wrote to memory of 2760	32	backup.exe	92
PID 2760 wrote to memory of 3792	2760	backup.exe	93
PID 2760 wrote to memory of 3792	2760	backup.exe	93
PID 2760 wrote to memory of 3792	2760	backup.exe	93
PID 2760 wrote to memory of 5100	2760	backup.exe	94
PID 2760 wrote to memory of 5100	2760	backup.exe	94
PID 2760 wrote to memory of 5100	2760	backup.exe	94
PID 5100 wrote to memory of 4900	5100	System Restore.exe	95
PID 5100 wrote to memory of 4900	5100	System Restore.exe	95
PID 5100 wrote to memory of 4900	5100	System Restore.exe	95
PID 5100 wrote to memory of 3196	5100	System Restore.exe	96
PID 5100 wrote to memory of 3196	5100	System Restore.exe	96
PID 5100 wrote to memory of 3196	5100	System Restore.exe	96
PID 3196 wrote to memory of 992	3196	backup.exe	97
PID 3196 wrote to memory of 992	3196	backup.exe	97
PID 3196 wrote to memory of 992	3196	backup.exe	97
PID 3196 wrote to memory of 4316	3196	backup.exe	98
PID 3196 wrote to memory of 4316	3196	backup.exe	98
PID 3196 wrote to memory of 4316	3196	backup.exe	98
PID 3196 wrote to memory of 4476	3196	backup.exe	99
PID 3196 wrote to memory of 4476	3196	backup.exe	99
PID 3196 wrote to memory of 4476	3196	backup.exe	99
PID 3196 wrote to memory of 3452	3196	backup.exe	100

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe
"C:\Users\Admin\AppData\Local\Temp\d17508b73d316a331cd4c86ffd57c906254584f06e3b4718561437cc3e59497d.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\1379358378\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1379358378\backup.exe C:\Users\Admin\AppData\Local\Temp\1379358378\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\update.exe
    \update.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3692
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5016
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:32
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3296
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2760
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3792
      - C:\Program Files\Common Files\microsoft shared\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\System Restore.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4900
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4476
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4372
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3036
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3016
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3488
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:652
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4808
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2124
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4628
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4604
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        System policy modification
        
        PID:3116
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:936
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:3476
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:3136
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:3036
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4308
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:2016
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:1360
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        System policy modification
        
        PID:3220
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1248
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:1656
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:1128
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\update.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:1912
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2076
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:1812
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:4948
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:3276
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4076
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:5016
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:1600
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:2208
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:1268
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:716
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:2280
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2388
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:3984
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4168
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:1880
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5060
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        System policy modification
        
        PID:2824
        
        C:\Program Files\Common Files\microsoft shared\VGX\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\System Restore.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:4028
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:3600
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3296
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:5084
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2824
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1240
        
        C:\Program Files\Common Files\System\ado\update.exe
        
        "C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4212
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:3144
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:4736
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:4392
        
        C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1636
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4388
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4256
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:4696
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2460
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1232
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:5048
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1388
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1124
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:2988
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3408
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3116
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2364
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        9⤵
        
        PID:1168
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2756
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        10⤵
        System policy modification
        
        PID:3920
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:3636
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:3800
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1092
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2372
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3152
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:4468
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1364
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1368
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:324
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3780
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1892
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4484
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4012
      - C:\Program Files\Internet Explorer\en-US\update.exe
        
        "C:\Program Files\Internet Explorer\en-US\update.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:848
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2844
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        System policy modification
        
        PID:3792
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1384
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:4056
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:4752
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:5068
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1360
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:1688
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:3412
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Drops file in Program Files directory
        
        PID:4956
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:216
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:4244
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        Drops file in Program Files directory
        
        PID:2076
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:3136
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4308
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        System policy modification
        
        PID:2496
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:2384
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        
        PID:3696
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        
        PID:3100
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:1888
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        
        PID:548
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        
        PID:4440
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        
        PID:1720
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        
        PID:4148
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
        9⤵
        
        PID:5016
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\
        9⤵
        
        PID:2016
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\
        9⤵
        
        PID:936
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\
        10⤵
        
        PID:536
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\
        9⤵
        
        PID:3488
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1388
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\data.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\
        9⤵
        
        PID:1316
        
        C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1512
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        
        PID:732
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
        9⤵
        
        PID:4016
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        
        PID:4852
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:8
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2168
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\
        9⤵
        Drops file in Program Files directory
        
        PID:4984
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        System policy modification
        
        PID:4256
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        
        PID:664
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3816
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:268
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        
        PID:4712
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        
        PID:3444
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        
        PID:820
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:1680
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        
        PID:1420
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
        10⤵
        
        PID:1796
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
        11⤵
        
        PID:2388
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
        10⤵
        
        PID:3008
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
        11⤵
        
        PID:3664
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:1368
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:3524
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
        10⤵
        
        PID:4468
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4536
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
        10⤵
        
        PID:2356
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
        11⤵
        System policy modification
        
        PID:2060
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:4908
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:536
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:1736
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:1168
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
        10⤵
        
        PID:5104
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
        11⤵
        
        PID:3692
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
        10⤵
        
        PID:856
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
        11⤵
        
        PID:1072
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
        10⤵
        
        PID:952
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\
        9⤵
        
        PID:1584
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1344
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        11⤵
        
        PID:5088
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        12⤵
        
        PID:3936
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        10⤵
        
        PID:1748
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\
        9⤵
        Drops file in Program Files directory
        
        PID:1840
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        10⤵
        
        PID:532
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
        11⤵
        Disables RegEdit via registry modification
        
        PID:2348
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
        12⤵
        
        PID:3960
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
        13⤵
        
        PID:4588
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
        13⤵
        
        PID:4444
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
        13⤵
        
        PID:4840
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
        11⤵
        
        PID:2460
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
        11⤵
        
        PID:2500
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2688
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
        11⤵
        
        PID:1344
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
        11⤵
        System policy modification
        
        PID:3936
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4908
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
        11⤵
        
        PID:3600
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
        10⤵
        
        PID:3128
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
        11⤵
        
        PID:4844
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\
        8⤵
        Drops file in Program Files directory
        
        PID:176
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\
        9⤵
        
        PID:1904
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\
        9⤵
        Drops file in Program Files directory
        
        PID:2964
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\
        10⤵
        
        PID:3792
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:4388
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\
        10⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:3480
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\
        11⤵
        
        PID:3060
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\
        10⤵
        
        PID:3672
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\
        11⤵
        
        PID:3892
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\
        12⤵
        
        PID:3636
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\
        11⤵
        
        PID:3816
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\
        10⤵
        
        PID:4912
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\
        9⤵
        
        PID:992
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\
        10⤵
        Disables RegEdit via registry modification
        
        PID:652
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\
        11⤵
        
        PID:1096
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1512
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\
        11⤵
        Disables RegEdit via registry modification
        
        PID:8
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\
        12⤵
        System policy modification
        
        PID:1112
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
        13⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3660
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\
        12⤵
        
        PID:3936
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
        13⤵
        
        PID:1496
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        12⤵
        Disables RegEdit via registry modification
        
        PID:112
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\
        11⤵
        
        PID:4064
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\
        10⤵
        
        PID:1812
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\
        11⤵
        
        PID:2320
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\
        10⤵
        
        PID:764
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2400
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\
        10⤵
        
        PID:4428
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3180
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\
        10⤵
        
        PID:1276
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\
        11⤵
        
        PID:1496
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:4516
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:2192
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:992
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\update.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:452
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:1160
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3652
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        
        PID:3188
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\data.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3468
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        
        PID:4828
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        
        PID:3376
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        
        PID:3464
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        
        PID:3452
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        
        PID:3052
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
        9⤵
        
        PID:1028
        
        C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
        8⤵
        
        PID:3104
        
        C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\management\
        8⤵
        
        PID:4992
        
        C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\security\
        8⤵
        
        PID:3440
    - - C:\Program Files\Microsoft Office\System Restore.exe
        
        "C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:3996
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4160
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:4076
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Drops file in Program Files directory
        
        PID:3388
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4728
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:4972
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:1812
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:1652
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:5112
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2292
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:3636
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:4624
        
        C:\Program Files\Microsoft Office\root\Licenses\update.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\update.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:2296
        
        C:\Program Files\Microsoft Office\root\Licenses16\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\System Restore.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:2452
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:3492
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:2628
        
        C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        7⤵
        
        PID:3972
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        8⤵
        Drops file in Program Files directory
        
        PID:4328
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        9⤵
        Disables RegEdit via registry modification
        
        PID:3492
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        9⤵
        
        PID:1176
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2384
        
        C:\Program Files\Microsoft Office\root\Office16\1036\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\data.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4032
        
        C:\Program Files\Microsoft Office\root\Office16\3082\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\update.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        8⤵
        
        PID:3860
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        8⤵
        
        PID:2648
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        9⤵
        System policy modification
        
        PID:4004
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        9⤵
        
        PID:1288
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        10⤵
        
        PID:4032
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        9⤵
        
        PID:1712
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        9⤵
        Drops file in Program Files directory
        
        PID:8
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        8⤵
        
        PID:3276
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        9⤵
        
        PID:3192
        
        C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4004
        
        C:\Program Files\Microsoft Office\root\Office16\BORDERS\data.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\data.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4384
        
        C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1264
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        8⤵
        
        PID:860
        
        C:\Program Files\Microsoft Office\root\rsod\backup.exe
        
        "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
        7⤵
        
        PID:796
        
        C:\Program Files\Microsoft Office\root\Templates\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
        7⤵
        System policy modification
        
        PID:3492
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        8⤵
        
        PID:920
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3780
        
        C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        8⤵
        
        PID:1336
        
        C:\Program Files\Microsoft Office\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
        7⤵
        
        PID:1692
      - C:\Program Files\Microsoft Office\Updates\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\System Restore.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:2976
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:4300
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        System policy modification
        
        PID:4344
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\E3689E5E-425C-46DC-95FC-E48F726723DE\
        9⤵
        
        PID:2060
        
        C:\Program Files\Microsoft Office\Updates\Download\update.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\update.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:2144
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:764
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\
        9⤵
        
        PID:3644
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\data.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\
        10⤵
        
        PID:716
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\
        11⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4752
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\
        12⤵
        
        PID:920
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\
        13⤵
        
        PID:3516
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\
        14⤵
        
        PID:728
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        15⤵
        Disables RegEdit via registry modification
        
        PID:4228
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E3689E5E-425C-46DC-95FC-E48F726723DE\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        16⤵
        
        PID:4828
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        11⤵
        
        PID:2060
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:1576
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3120
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:4744
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1252
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:2064
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\update.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\update.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
      - C:\Program Files\Mozilla Firefox\defaults\update.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\update.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:4628
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2824
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:5104
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:2888
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:820
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3948
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:2364
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1576
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4888
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        Drops file in Program Files directory
        
        PID:3152
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        Drops file in Program Files directory
        
        PID:5020
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:4976
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        System policy modification
        
        PID:4724
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:4060
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:2084
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:4752
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:796
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:3476
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:820
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:4708
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:116
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:2084
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:1556
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        
        PID:948
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:2964
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:4896
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        
        PID:2124
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        9⤵
        
        PID:3008
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        8⤵
        
        PID:268
  - - C:\Program Files (x86)\update.exe
      "C:\Program Files (x86)\update.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2836
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4016
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:1988
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:4748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:2124
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:4512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:4312
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:2500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        System policy modification
        
        PID:4408
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1928
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:4940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:4060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:4784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:4216
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        System policy modification
        
        PID:936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:2272
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:3276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:4844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        
        PID:4392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        System policy modification
        
        PID:4012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        14⤵
        
        PID:4836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        
        PID:2124
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:3332
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:4580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        Drops file in Program Files directory
        
        PID:4952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        
        PID:3936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        
        PID:2292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        Drops file in Program Files directory
        
        PID:4916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:2372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:5052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        
        PID:1092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        14⤵
        
        PID:960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:4624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        13⤵
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        12⤵
        System policy modification
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        13⤵
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        14⤵
        
        PID:236
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        12⤵
        
        PID:5096
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        13⤵
        
        PID:4692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        Drops file in Program Files directory
        
        PID:4028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        
        PID:4048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        
        PID:3488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        15⤵
        
        PID:4476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        15⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        15⤵
        
        PID:4100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        15⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        15⤵
        
        PID:320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        15⤵
        
        PID:3868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        15⤵
        
        PID:4384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        15⤵
        
        PID:1160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        15⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2732
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        15⤵
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        15⤵
        
        PID:3996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        15⤵
        
        PID:4664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        13⤵
        
        PID:3600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        
        PID:3516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        13⤵
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        15⤵
        
        PID:4428
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        15⤵
        
        PID:4148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        15⤵
        
        PID:5116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:4256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:2392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:4132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:4048
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Drops file in Program Files directory
        
        PID:3504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:5108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:4704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:4120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:4660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:2320
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:4736
      - C:\Program Files (x86)\Common Files\Adobe\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\update.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:5104
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:3860
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4644
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:4504
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3876
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        Disables RegEdit via registry modification
        
        PID:820
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:4984
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2176
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:116
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:2760
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:268
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        Drops file in Program Files directory
        
        PID:1580
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:2868
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        Drops file in Program Files directory
        
        PID:3636
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:4696
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2964
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\
        15⤵
        Disables RegEdit via registry modification
        
        PID:3376
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\
        16⤵
        
        PID:4356
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\
        16⤵
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:3816
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:4748
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:2688
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:2628
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:4732
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:3480
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:716
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:3180
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:1332
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:4768
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:1072
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:408
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:1732
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:1892
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:2396
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:2012
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:3196
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:5108
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1132
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        System policy modification
        
        PID:976
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        System policy modification
        
        PID:4848
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:4024
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:1492
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:4160
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2648
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:4340
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2084
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:4148
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1812
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2088
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:4976
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        Drops file in Program Files directory
        
        PID:4244
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:2968
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:412
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:3540
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:4640
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:2052
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        System policy modification
        
        PID:3036
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:4720
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:4844
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:4388
      - C:\Program Files (x86)\Common Files\System\update.exe
        
        "C:\Program Files (x86)\Common Files\System\update.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2624
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        System policy modification
        
        PID:4392
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:3220
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\update.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:4580
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1328
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4904
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1496
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\data.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\data.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:3976
        
        C:\Program Files (x86)\Common Files\System\de-DE\update.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\update.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:4724
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:4520
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:3484
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:1988
        
        C:\Program Files (x86)\Common Files\System\it-IT\update.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\update.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:1420
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:3440
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:3448
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1684
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1888
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\data.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\data.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1492
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2976
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:3880
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:4060
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:3596
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:3468
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:728
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:3956
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:512
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1796
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:4888
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1744
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:4680
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2260
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        System policy modification
        
        PID:3484
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:4212
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:4144
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        
        PID:3948
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:5096
        
        C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{9FE34FF4-CC04-4D7E-96B4-2FFAA3FF5050}\
        8⤵
        
        PID:640
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4812
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4636
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2276
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4312
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:208
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3876
      - C:\Program Files (x86)\Internet Explorer\images\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\System Restore.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        System policy modification
        
        PID:1656
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:4428
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:3516
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:4748
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1732
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        
        PID:1316
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\
        7⤵
        System policy modification
        
        PID:824
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        
        PID:3984
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\
        9⤵
        
        PID:1984
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\data.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\data.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        
        PID:4888
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:3948
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:4664
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:3980
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        System policy modification
        
        PID:1776
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        System policy modification
        
        PID:3276
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        Drops file in Program Files directory
        
        PID:4916
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3540
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:176
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:4936
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:1268
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:3136
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5032
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2016
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4160
      - C:\Users\Admin\Favorites\data.exe
        
        C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1892
      - C:\Users\Admin\Links\update.exe
        
        C:\Users\Admin\Links\update.exe C:\Users\Admin\Links\
        6⤵
        System policy modification
        
        PID:1816
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:4288
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:1276
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:3392
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:1208
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:4604
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4916
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2212
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4260
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:764
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:664
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1864
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4812
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1916
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2296
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:4224
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4100
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:3152
      - C:\Windows\appcompat\appraiser\data.exe
        
        C:\Windows\appcompat\appraiser\data.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4252
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4608
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:4512
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:3780
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:4260
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:3984
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:1420
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        System policy modification
        
        PID:3960
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:116
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:388
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2288
      - C:\Windows\apppatch\es-ES\update.exe
        
        C:\Windows\apppatch\es-ES\update.exe C:\Windows\apppatch\es-ES\
        6⤵
        System policy modification
        
        PID:4140
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:3780
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:4524
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:4664
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:4784
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:388
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:4164
        
        C:\Windows\assembly\GAC\ADODB\System Restore.exe
        
        "C:\Windows\assembly\GAC\ADODB\System Restore.exe" C:\Windows\assembly\GAC\ADODB\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4268
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1636
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:268
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        System policy modification
        
        PID:3008
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        8⤵
        
        PID:4256
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        
        PID:4408
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        System policy modification
        
        PID:1176
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        Drops file in Windows directory
        
        PID:3464
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:512
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        Drops file in Windows directory
        
        PID:716
        
        C:\Windows\assembly\GAC\MSDATASRC\data.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\data.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        Drops file in Windows directory
        
        PID:3328
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2372
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        Drops file in Windows directory
        
        PID:2060
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4828
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:2844
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:1336
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:116
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4660
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4160
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\data.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\data.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        Drops file in Windows directory
        
        PID:2088
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2356
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2396
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:1752
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:4692
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Drops file in Windows directory
        
        PID:2380
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        
        PID:3412
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4688
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:4640
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:1904
        
        C:\Windows\Branding\Basebrd\fr-FR\data.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\data.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:1548
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:3876
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:3956
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:4476
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:1308
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        Drops file in Windows directory
        
        PID:4736
      - C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        6⤵
        
        PID:908
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1912
    - - C:\Windows\debug\System Restore.exe
        
        "C:\Windows\debug\System Restore.exe" C:\Windows\debug\
        5⤵
        
        PID:5044
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:1880
    - - C:\Windows\DiagTrack\backup.exe
        
        C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\
        5⤵
        
        PID:4312
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4164
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2844

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5056
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:3448
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
    3⤵
    PID:3692
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
    3⤵
    PID:4732
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\update.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
    3⤵
    - Disables RegEdit via registry modification
    PID:3772
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
    3⤵
    PID:2868
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
    3⤵
    PID:4004
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
    3⤵
    PID:4456
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
    3⤵
    PID:4948
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
    3⤵
    PID:4516
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
      4⤵
      PID:980
    - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        5⤵
        
        PID:2380
- C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe
  "C:\Program Files\Google\Chrome\Application\SetupMetrics\System Restore.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
  2⤵
  PID:4152

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
1⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
1⤵
PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
  2⤵
  - Drops file in Program Files directory
  PID:3988
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
    3⤵
    - Disables RegEdit via registry modification
    PID:4016
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\data.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
    3⤵
    PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
      4⤵
      System policy modification
      PID:404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
      4⤵
      PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
    3⤵
    PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
    3⤵
    PID:320
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\data.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
    3⤵
    PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
  2⤵
  PID:2340

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
1⤵
- Disables RegEdit via registry modification
PID:4600

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
1⤵
PID:872

C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7a3d3cdc7021bd9ceec9508ef912ff5d

SHA1
0d3e344b533b24f6aae545ed5c4e435c4edfaabc

SHA256
e0c8632509828c001fa09b3881b8273f0f60135d5c1a9d304676ec195e3ff378

SHA512
7ebce6de6a578c4791e446afa215dbc32cad6fed7e8f4db352c306cf68cff154883d74f4c65193e265a84343a3f3c78780445f590b603e854416e3a546050c41

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
7a3d3cdc7021bd9ceec9508ef912ff5d

SHA1
0d3e344b533b24f6aae545ed5c4e435c4edfaabc

SHA256
e0c8632509828c001fa09b3881b8273f0f60135d5c1a9d304676ec195e3ff378

SHA512
7ebce6de6a578c4791e446afa215dbc32cad6fed7e8f4db352c306cf68cff154883d74f4c65193e265a84343a3f3c78780445f590b603e854416e3a546050c41

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
afa734dec65e62de588c1c9bad706ca7

SHA1
178c11c739885df866a50263ac457b0ce704ca1a

SHA256
9bf7068601b9efa34429040c78f9a337457408822e1a356b50e16488579e7be4

SHA512
e495579952da3c43d7e7b2f68b2ad8ed43865aa35956affbd85ebe78e6f99b9c80fff30a3646eea44b5341ae51fdf1abfafaa2bbeaa2647b2f0420addd7de906

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
afa734dec65e62de588c1c9bad706ca7

SHA1
178c11c739885df866a50263ac457b0ce704ca1a

SHA256
9bf7068601b9efa34429040c78f9a337457408822e1a356b50e16488579e7be4

SHA512
e495579952da3c43d7e7b2f68b2ad8ed43865aa35956affbd85ebe78e6f99b9c80fff30a3646eea44b5341ae51fdf1abfafaa2bbeaa2647b2f0420addd7de906

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
53517e547d742c153d84f91b34da01bd

SHA1
e9e6d70085b920f124493ae79bdf5b4f7451152c

SHA256
4b9e9fcc7784f68889ce9131552c650f1079eff3afa365c1e22a0fd5f0be9d57

SHA512
fd2bb37d4ca34eb0c4dfb31363f6c0ad3e5468ae5e02556c2e025cec7edb3256eedf282f9390a2372284aa17067d1d8198f3cac5b450ee796ec22e5798e94402

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
53517e547d742c153d84f91b34da01bd

SHA1
e9e6d70085b920f124493ae79bdf5b4f7451152c

SHA256
4b9e9fcc7784f68889ce9131552c650f1079eff3afa365c1e22a0fd5f0be9d57

SHA512
fd2bb37d4ca34eb0c4dfb31363f6c0ad3e5468ae5e02556c2e025cec7edb3256eedf282f9390a2372284aa17067d1d8198f3cac5b450ee796ec22e5798e94402

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
afa734dec65e62de588c1c9bad706ca7

SHA1
178c11c739885df866a50263ac457b0ce704ca1a

SHA256
9bf7068601b9efa34429040c78f9a337457408822e1a356b50e16488579e7be4

SHA512
e495579952da3c43d7e7b2f68b2ad8ed43865aa35956affbd85ebe78e6f99b9c80fff30a3646eea44b5341ae51fdf1abfafaa2bbeaa2647b2f0420addd7de906

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
afa734dec65e62de588c1c9bad706ca7

SHA1
178c11c739885df866a50263ac457b0ce704ca1a

SHA256
9bf7068601b9efa34429040c78f9a337457408822e1a356b50e16488579e7be4

SHA512
e495579952da3c43d7e7b2f68b2ad8ed43865aa35956affbd85ebe78e6f99b9c80fff30a3646eea44b5341ae51fdf1abfafaa2bbeaa2647b2f0420addd7de906

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
53517e547d742c153d84f91b34da01bd

SHA1
e9e6d70085b920f124493ae79bdf5b4f7451152c

SHA256
4b9e9fcc7784f68889ce9131552c650f1079eff3afa365c1e22a0fd5f0be9d57

SHA512
fd2bb37d4ca34eb0c4dfb31363f6c0ad3e5468ae5e02556c2e025cec7edb3256eedf282f9390a2372284aa17067d1d8198f3cac5b450ee796ec22e5798e94402

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
53517e547d742c153d84f91b34da01bd

SHA1
e9e6d70085b920f124493ae79bdf5b4f7451152c

SHA256
4b9e9fcc7784f68889ce9131552c650f1079eff3afa365c1e22a0fd5f0be9d57

SHA512
fd2bb37d4ca34eb0c4dfb31363f6c0ad3e5468ae5e02556c2e025cec7edb3256eedf282f9390a2372284aa17067d1d8198f3cac5b450ee796ec22e5798e94402

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
64ff08a70cd071598ba6f351c3945093

SHA1
937b1d4c94886652794ba85eb43fcb640259416b

SHA256
911bbec9ca097b4db3fc871527d5d0b84d624b3a8e7cd738b29bab122c43cbed

SHA512
5efc473c8ecde9e4a67a374d9e7f4b2833a08a2a20207fd7361b065525a093641f658419c59612fcb94429c1861dcdb37277cd3ce0987ae2a07e2fab96ad9ef9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
64ff08a70cd071598ba6f351c3945093

SHA1
937b1d4c94886652794ba85eb43fcb640259416b

SHA256
911bbec9ca097b4db3fc871527d5d0b84d624b3a8e7cd738b29bab122c43cbed

SHA512
5efc473c8ecde9e4a67a374d9e7f4b2833a08a2a20207fd7361b065525a093641f658419c59612fcb94429c1861dcdb37277cd3ce0987ae2a07e2fab96ad9ef9

Download Submit
C:\Program Files\Common Files\microsoft shared\System Restore.exe

Filesize
72KB

MD5
afa734dec65e62de588c1c9bad706ca7

SHA1
178c11c739885df866a50263ac457b0ce704ca1a

SHA256
9bf7068601b9efa34429040c78f9a337457408822e1a356b50e16488579e7be4

SHA512
e495579952da3c43d7e7b2f68b2ad8ed43865aa35956affbd85ebe78e6f99b9c80fff30a3646eea44b5341ae51fdf1abfafaa2bbeaa2647b2f0420addd7de906

Download Submit
C:\Program Files\Common Files\microsoft shared\System Restore.exe

Filesize
72KB

MD5
afa734dec65e62de588c1c9bad706ca7

SHA1
178c11c739885df866a50263ac457b0ce704ca1a

SHA256
9bf7068601b9efa34429040c78f9a337457408822e1a356b50e16488579e7be4

SHA512
e495579952da3c43d7e7b2f68b2ad8ed43865aa35956affbd85ebe78e6f99b9c80fff30a3646eea44b5341ae51fdf1abfafaa2bbeaa2647b2f0420addd7de906

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c16e6f554933a5641afe6a8900525567

SHA1
b9352cac0d108235ef16bad3b7ba59ecde76bd55

SHA256
d7ef59016427ae21b807a2998abe793db2c881181126b79786dc7a66f1d5282d

SHA512
1d54ab3d46c327501bcb1f550259bd22940a32be23d7a4262ace59874bad0db992fbf17b8fbf5e0de6874607b3520a1d1eab612fbcd839e59e1f04fd3191eafe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c16e6f554933a5641afe6a8900525567

SHA1
b9352cac0d108235ef16bad3b7ba59ecde76bd55

SHA256
d7ef59016427ae21b807a2998abe793db2c881181126b79786dc7a66f1d5282d

SHA512
1d54ab3d46c327501bcb1f550259bd22940a32be23d7a4262ace59874bad0db992fbf17b8fbf5e0de6874607b3520a1d1eab612fbcd839e59e1f04fd3191eafe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
64ff08a70cd071598ba6f351c3945093

SHA1
937b1d4c94886652794ba85eb43fcb640259416b

SHA256
911bbec9ca097b4db3fc871527d5d0b84d624b3a8e7cd738b29bab122c43cbed

SHA512
5efc473c8ecde9e4a67a374d9e7f4b2833a08a2a20207fd7361b065525a093641f658419c59612fcb94429c1861dcdb37277cd3ce0987ae2a07e2fab96ad9ef9

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
64ff08a70cd071598ba6f351c3945093

SHA1
937b1d4c94886652794ba85eb43fcb640259416b

SHA256
911bbec9ca097b4db3fc871527d5d0b84d624b3a8e7cd738b29bab122c43cbed

SHA512
5efc473c8ecde9e4a67a374d9e7f4b2833a08a2a20207fd7361b065525a093641f658419c59612fcb94429c1861dcdb37277cd3ce0987ae2a07e2fab96ad9ef9

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
c16e6f554933a5641afe6a8900525567

SHA1
b9352cac0d108235ef16bad3b7ba59ecde76bd55

SHA256
d7ef59016427ae21b807a2998abe793db2c881181126b79786dc7a66f1d5282d

SHA512
1d54ab3d46c327501bcb1f550259bd22940a32be23d7a4262ace59874bad0db992fbf17b8fbf5e0de6874607b3520a1d1eab612fbcd839e59e1f04fd3191eafe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
c16e6f554933a5641afe6a8900525567

SHA1
b9352cac0d108235ef16bad3b7ba59ecde76bd55

SHA256
d7ef59016427ae21b807a2998abe793db2c881181126b79786dc7a66f1d5282d

SHA512
1d54ab3d46c327501bcb1f550259bd22940a32be23d7a4262ace59874bad0db992fbf17b8fbf5e0de6874607b3520a1d1eab612fbcd839e59e1f04fd3191eafe

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\data.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\data.exe

Filesize
72KB

MD5
3774d13143261d7da26578f3367d91cb

SHA1
2412f3ba4553a75859493a372dcc8712b40e6b5e

SHA256
a35352585755e5acef72d04710e329aa01b058566fa0accaa02a5097b85ad857

SHA512
ded2df42188c0644aa3f431a9eb798fe7caf1a9d9870bde76da438f86150e969c0529196ce7c0718fbfc08802a8bcace934d670d45cbdb177cce5a80c2e10419

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
ce6586999e02d53b1e2475b649aa6dab

SHA1
efa39d6e19c5cd639285cf34c19b58c9d30ef6a2

SHA256
d421b74301b832d65901dbf0dbe7e8c8bf54b4157d220f2379ade7c827cece44

SHA512
a83686e99202d68a60ddbbcf64fc65a541f518a8411a5405234d11d88d47b2b2650e2c2a68abe92cd3bee8c57d9993f7e26a5d4d0eaaec5b7d1d7788f76383dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
ce6586999e02d53b1e2475b649aa6dab

SHA1
efa39d6e19c5cd639285cf34c19b58c9d30ef6a2

SHA256
d421b74301b832d65901dbf0dbe7e8c8bf54b4157d220f2379ade7c827cece44

SHA512
a83686e99202d68a60ddbbcf64fc65a541f518a8411a5405234d11d88d47b2b2650e2c2a68abe92cd3bee8c57d9993f7e26a5d4d0eaaec5b7d1d7788f76383dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
ce6586999e02d53b1e2475b649aa6dab

SHA1
efa39d6e19c5cd639285cf34c19b58c9d30ef6a2

SHA256
d421b74301b832d65901dbf0dbe7e8c8bf54b4157d220f2379ade7c827cece44

SHA512
a83686e99202d68a60ddbbcf64fc65a541f518a8411a5405234d11d88d47b2b2650e2c2a68abe92cd3bee8c57d9993f7e26a5d4d0eaaec5b7d1d7788f76383dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe

Filesize
72KB

MD5
ce6586999e02d53b1e2475b649aa6dab

SHA1
efa39d6e19c5cd639285cf34c19b58c9d30ef6a2

SHA256
d421b74301b832d65901dbf0dbe7e8c8bf54b4157d220f2379ade7c827cece44

SHA512
a83686e99202d68a60ddbbcf64fc65a541f518a8411a5405234d11d88d47b2b2650e2c2a68abe92cd3bee8c57d9993f7e26a5d4d0eaaec5b7d1d7788f76383dd

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7a3d3cdc7021bd9ceec9508ef912ff5d

SHA1
0d3e344b533b24f6aae545ed5c4e435c4edfaabc

SHA256
e0c8632509828c001fa09b3881b8273f0f60135d5c1a9d304676ec195e3ff378

SHA512
7ebce6de6a578c4791e446afa215dbc32cad6fed7e8f4db352c306cf68cff154883d74f4c65193e265a84343a3f3c78780445f590b603e854416e3a546050c41

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
7a3d3cdc7021bd9ceec9508ef912ff5d

SHA1
0d3e344b533b24f6aae545ed5c4e435c4edfaabc

SHA256
e0c8632509828c001fa09b3881b8273f0f60135d5c1a9d304676ec195e3ff378

SHA512
7ebce6de6a578c4791e446afa215dbc32cad6fed7e8f4db352c306cf68cff154883d74f4c65193e265a84343a3f3c78780445f590b603e854416e3a546050c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1379358378\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1379358378\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
95bcf8d795ffb050860af57a8f179c8e

SHA1
b0d1d022d88102cbffb7146a588d211ee49f4cec

SHA256
409564dd67453ba8545db803800f68cf37fff53b53cfecb0a7a377abafad4bdb

SHA512
66a0177562a50f79f63bfdabce4f5abfc0ed0525569d435c0561ad5a215099c9f68770e39f6358208f9803cb4d0f500cb60eca57d9f6fa704de33389606a932e

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
7a3d3cdc7021bd9ceec9508ef912ff5d

SHA1
0d3e344b533b24f6aae545ed5c4e435c4edfaabc

SHA256
e0c8632509828c001fa09b3881b8273f0f60135d5c1a9d304676ec195e3ff378

SHA512
7ebce6de6a578c4791e446afa215dbc32cad6fed7e8f4db352c306cf68cff154883d74f4c65193e265a84343a3f3c78780445f590b603e854416e3a546050c41

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
7a3d3cdc7021bd9ceec9508ef912ff5d

SHA1
0d3e344b533b24f6aae545ed5c4e435c4edfaabc

SHA256
e0c8632509828c001fa09b3881b8273f0f60135d5c1a9d304676ec195e3ff378

SHA512
7ebce6de6a578c4791e446afa215dbc32cad6fed7e8f4db352c306cf68cff154883d74f4c65193e265a84343a3f3c78780445f590b603e854416e3a546050c41

Download Submit
C:\update.exe

Filesize
72KB

MD5
7075ea7ed801efb459b8b8dcedd8ad7d

SHA1
0aaa7b6807d2f01ffcb35b44e8fb347859fff72e

SHA256
8fccd3576903388a66b09ae1edeefa7775c8d6ebead3485d4375b90fc7aadb34

SHA512
e208a3b15252b54b952464de15e1acd5f1b8f22c3c8236b9d7c04bb63cd204e4fbbeae9862b5aa39f0ff459c2a62a142d535bd5d14a228219ae65bb13c99cc90

Download Submit
C:\update.exe

Filesize
72KB

MD5
7075ea7ed801efb459b8b8dcedd8ad7d

SHA1
0aaa7b6807d2f01ffcb35b44e8fb347859fff72e

SHA256
8fccd3576903388a66b09ae1edeefa7775c8d6ebead3485d4375b90fc7aadb34

SHA512
e208a3b15252b54b952464de15e1acd5f1b8f22c3c8236b9d7c04bb63cd204e4fbbeae9862b5aa39f0ff459c2a62a142d535bd5d14a228219ae65bb13c99cc90

Download Submit
memory/32-184-0x0000000000000000-mapping.dmp

Download
memory/652-303-0x0000000000000000-mapping.dmp

Download
memory/860-340-0x0000000000000000-mapping.dmp

Download
memory/992-224-0x0000000000000000-mapping.dmp

Download
memory/1076-327-0x0000000000000000-mapping.dmp

Download
memory/1184-244-0x0000000000000000-mapping.dmp

Download
memory/1232-324-0x0000000000000000-mapping.dmp

Download
memory/1240-354-0x0000000000000000-mapping.dmp

Download
memory/1288-284-0x0000000000000000-mapping.dmp

Download
memory/1316-312-0x0000000000000000-mapping.dmp

Download
memory/1328-259-0x0000000000000000-mapping.dmp

Download
memory/1680-369-0x0000000000000000-mapping.dmp

Download
memory/1828-169-0x0000000000000000-mapping.dmp

Download
memory/1860-294-0x0000000000000000-mapping.dmp

Download
memory/1876-336-0x0000000000000000-mapping.dmp

Download
memory/1892-355-0x0000000000000000-mapping.dmp

Download
memory/2124-330-0x0000000000000000-mapping.dmp

Download
memory/2260-189-0x0000000000000000-mapping.dmp

Download
memory/2380-318-0x0000000000000000-mapping.dmp

Download
memory/2396-144-0x0000000000000000-mapping.dmp

Download
memory/2624-289-0x0000000000000000-mapping.dmp

Download
memory/2760-199-0x0000000000000000-mapping.dmp

Download
memory/2824-339-0x0000000000000000-mapping.dmp

Download
memory/2836-337-0x0000000000000000-mapping.dmp

Download
memory/2844-164-0x0000000000000000-mapping.dmp

Download
memory/3016-269-0x0000000000000000-mapping.dmp

Download
memory/3036-264-0x0000000000000000-mapping.dmp

Download
memory/3056-254-0x0000000000000000-mapping.dmp

Download
memory/3144-384-0x0000000000000000-mapping.dmp

Download
memory/3196-219-0x0000000000000000-mapping.dmp

Download
memory/3296-194-0x0000000000000000-mapping.dmp

Download
memory/3448-375-0x0000000000000000-mapping.dmp

Download
memory/3452-239-0x0000000000000000-mapping.dmp

Download
memory/3488-300-0x0000000000000000-mapping.dmp

Download
memory/3572-139-0x0000000000000000-mapping.dmp

Download
memory/3692-174-0x0000000000000000-mapping.dmp

Download
memory/3780-338-0x0000000000000000-mapping.dmp

Download
memory/3792-204-0x0000000000000000-mapping.dmp

Download
memory/3800-274-0x0000000000000000-mapping.dmp

Download
memory/3976-333-0x0000000000000000-mapping.dmp

Download
memory/3988-321-0x0000000000000000-mapping.dmp

Download
memory/4016-358-0x0000000000000000-mapping.dmp

Download
memory/4076-357-0x0000000000000000-mapping.dmp

Download
memory/4132-154-0x0000000000000000-mapping.dmp

Download
memory/4164-381-0x0000000000000000-mapping.dmp

Download
memory/4164-159-0x0000000000000000-mapping.dmp

Download
memory/4212-368-0x0000000000000000-mapping.dmp

Download
memory/4316-229-0x0000000000000000-mapping.dmp

Download
memory/4372-249-0x0000000000000000-mapping.dmp

Download
memory/4476-234-0x0000000000000000-mapping.dmp

Download
memory/4524-306-0x0000000000000000-mapping.dmp

Download
memory/4628-371-0x0000000000000000-mapping.dmp

Download
memory/4784-350-0x0000000000000000-mapping.dmp

Download
memory/4808-315-0x0000000000000000-mapping.dmp

Download
memory/4812-356-0x0000000000000000-mapping.dmp

Download
memory/4900-214-0x0000000000000000-mapping.dmp

Download
memory/4924-297-0x0000000000000000-mapping.dmp

Download
memory/4940-149-0x0000000000000000-mapping.dmp

Download
memory/4992-309-0x0000000000000000-mapping.dmp

Download
memory/5016-179-0x0000000000000000-mapping.dmp

Download
memory/5044-279-0x0000000000000000-mapping.dmp

Download
memory/5056-367-0x0000000000000000-mapping.dmp

Download
memory/5076-134-0x0000000000000000-mapping.dmp

Download
memory/5100-209-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads