15035cfd5d6e738db8243e7b72fff04d607caddbeef80e49620660364a897412

Analysis

max time kernel
169s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe
Size

72KB
MD5

06801c0851f33c9e933d959532cf3ae0
SHA1

54e534adf514aa5e259e2ab8c0f719cd43b24495
SHA256

15035cfd5d6e738db8243e7b72fff04d607caddbeef80e49620660364a897412
SHA512

ee104641470f3552cc93915ef306348b81d1497fa9e4f6c1d85a87b1a6a82b754b31899bc4c8f05af206aa55c2806a6b9d2a5a79cefa81f46f97eb60a6744011
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPhd:ieTce/U/hKYuKPhd

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2168	backup.exe
1252	backup.exe
3416	backup.exe
2712	backup.exe
1816	backup.exe
3304	backup.exe
4720	data.exe
4460	backup.exe
2440	backup.exe
3524	backup.exe
1812	backup.exe
2840	backup.exe
3064	backup.exe
1952	backup.exe
2352	update.exe
4884	backup.exe
904	backup.exe
5056	backup.exe
4332	backup.exe
4940	backup.exe
1468	backup.exe
2516	update.exe
3008	backup.exe
2184	backup.exe
4428	System Restore.exe
4380	backup.exe
3268	backup.exe
728	backup.exe
4436	backup.exe
4944	System Restore.exe
3856	update.exe
848	backup.exe
4980	backup.exe
1976	backup.exe
1700	backup.exe
1384	backup.exe
868	backup.exe
3916	update.exe
2652	backup.exe
2100	backup.exe
3604	backup.exe
3492	backup.exe
4856	backup.exe
4404	backup.exe
1728	backup.exe
4588	backup.exe
1732	System Restore.exe
3304	backup.exe
3608	backup.exe
5048	backup.exe
1952	backup.exe
4600	backup.exe
1792	backup.exe
856	data.exe
4136	backup.exe
3472	backup.exe
5084	backup.exe
4456	backup.exe
496	backup.exe
1000	backup.exe
3836	backup.exe
4516	backup.exe
2160	backup.exe
3944	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\data.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\data.exe	update.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\data.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\backup.exe	update.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	update.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\backup.exe	data.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	data.exe
File opened for modification	C:\Windows\data.exe	backup.exe
File opened for modification	C:\Windows\apppatch\update.exe	data.exe
File opened for modification	C:\Windows\appcompat\backup.exe	data.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	System Restore.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	update.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	data.exe
File opened for modification	C:\Windows\Branding\backup.exe	data.exe
File opened for modification	C:\Windows\addins\backup.exe	data.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe
2168	backup.exe
1252	backup.exe
3416	backup.exe
2712	backup.exe
3304	backup.exe
1816	backup.exe
4720	data.exe
4460	backup.exe
2440	backup.exe
3524	backup.exe
1812	backup.exe
2840	backup.exe
3064	backup.exe
1952	backup.exe
2352	update.exe
4884	backup.exe
904	backup.exe
5056	backup.exe
4332	backup.exe
4940	backup.exe
1468	backup.exe
2516	update.exe
3008	backup.exe
2184	backup.exe
4428	System Restore.exe
4380	backup.exe
3268	backup.exe
728	backup.exe
4436	backup.exe
4944	System Restore.exe
3856	update.exe
848	backup.exe
4980	backup.exe
1976	backup.exe
1700	backup.exe
1384	backup.exe
3916	update.exe
868	backup.exe
2652	backup.exe
2100	backup.exe
3604	backup.exe
3492	backup.exe
4856	backup.exe
1728	backup.exe
4404	backup.exe
4588	backup.exe
1732	System Restore.exe
3304	backup.exe
3608	backup.exe
5048	backup.exe
1952	backup.exe
4600	backup.exe
1792	backup.exe
856	data.exe
4136	backup.exe
3472	backup.exe
5084	backup.exe
4456	backup.exe
496	backup.exe
1000	backup.exe
4516	backup.exe
3836	backup.exe
2160	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 2168	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	83
PID 3948 wrote to memory of 2168	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	83
PID 3948 wrote to memory of 2168	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	83
PID 3948 wrote to memory of 1252	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	84
PID 3948 wrote to memory of 1252	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	84
PID 3948 wrote to memory of 1252	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	84
PID 3948 wrote to memory of 3416	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	85
PID 3948 wrote to memory of 3416	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	85
PID 3948 wrote to memory of 3416	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	85
PID 3948 wrote to memory of 2712	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	86
PID 3948 wrote to memory of 2712	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	86
PID 3948 wrote to memory of 2712	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	86
PID 3948 wrote to memory of 3304	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	88
PID 3948 wrote to memory of 3304	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	88
PID 3948 wrote to memory of 3304	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	88
PID 2168 wrote to memory of 1816	2168	backup.exe	87
PID 2168 wrote to memory of 1816	2168	backup.exe	87
PID 2168 wrote to memory of 1816	2168	backup.exe	87
PID 3948 wrote to memory of 4720	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	89
PID 3948 wrote to memory of 4720	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	89
PID 3948 wrote to memory of 4720	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	89
PID 1816 wrote to memory of 4460	1816	backup.exe	90
PID 1816 wrote to memory of 4460	1816	backup.exe	90
PID 1816 wrote to memory of 4460	1816	backup.exe	90
PID 3948 wrote to memory of 2440	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	91
PID 3948 wrote to memory of 2440	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	91
PID 3948 wrote to memory of 2440	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	91
PID 1816 wrote to memory of 3524	1816	backup.exe	92
PID 1816 wrote to memory of 3524	1816	backup.exe	92
PID 1816 wrote to memory of 3524	1816	backup.exe	92
PID 3948 wrote to memory of 1812	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	93
PID 3948 wrote to memory of 1812	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	93
PID 3948 wrote to memory of 1812	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	93
PID 1816 wrote to memory of 2840	1816	backup.exe	94
PID 1816 wrote to memory of 2840	1816	backup.exe	94
PID 1816 wrote to memory of 2840	1816	backup.exe	94
PID 3948 wrote to memory of 3064	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	95
PID 3948 wrote to memory of 3064	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	95
PID 3948 wrote to memory of 3064	3948	NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe	95
PID 2840 wrote to memory of 1952	2840	backup.exe	96
PID 2840 wrote to memory of 1952	2840	backup.exe	96
PID 2840 wrote to memory of 1952	2840	backup.exe	96
PID 3064 wrote to memory of 2352	3064	backup.exe	97
PID 3064 wrote to memory of 2352	3064	backup.exe	97
PID 3064 wrote to memory of 2352	3064	backup.exe	97
PID 1952 wrote to memory of 4884	1952	backup.exe	98
PID 1952 wrote to memory of 4884	1952	backup.exe	98
PID 1952 wrote to memory of 4884	1952	backup.exe	98
PID 2352 wrote to memory of 904	2352	update.exe	99
PID 2352 wrote to memory of 904	2352	update.exe	99
PID 2352 wrote to memory of 904	2352	update.exe	99
PID 2840 wrote to memory of 5056	2840	backup.exe	100
PID 2840 wrote to memory of 5056	2840	backup.exe	100
PID 2840 wrote to memory of 5056	2840	backup.exe	100
PID 5056 wrote to memory of 4332	5056	backup.exe	102
PID 5056 wrote to memory of 4332	5056	backup.exe	102
PID 5056 wrote to memory of 4332	5056	backup.exe	102
PID 5056 wrote to memory of 4940	5056	backup.exe	103
PID 5056 wrote to memory of 4940	5056	backup.exe	103
PID 5056 wrote to memory of 4940	5056	backup.exe	103
PID 4940 wrote to memory of 1468	4940	backup.exe	104
PID 4940 wrote to memory of 1468	4940	backup.exe	104
PID 4940 wrote to memory of 1468	4940	backup.exe	104
PID 4940 wrote to memory of 2516	4940	backup.exe	106

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.06801c0851f33c9e933d959532cf3ae0_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\{AE1D4D88-3049-4A83-A1FC-D8CA1DA97038}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{AE1D4D88-3049-4A83-A1FC-D8CA1DA97038}\backup.exe C:\Users\Admin\AppData\Local\Temp\{AE1D4D88-3049-4A83-A1FC-D8CA1DA97038}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1816
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4460
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3524
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4884
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5056
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4332
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\microsoft shared\ink\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\update.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4428
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4380
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3268
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:728
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4436
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\update.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4980
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3492
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3304
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1792
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5084
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1000
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:3884
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:888
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:4944
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:1548
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:4100
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3156
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1684
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:4492
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2184
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:2228
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:3780
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:3252
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:540
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:4804
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:2028
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:1676
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:3492
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\data.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:640
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:4840
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1216
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:4492
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:640
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4600
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2856
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:5060
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:5044
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\System Restore.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:2748
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:1936
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:4628
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:4304
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:1716
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4564
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:3732
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:2100
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:3064
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:4712
        
        C:\Program Files\Common Files\microsoft shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\update.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        System policy modification
        
        PID:868
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:1124
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:3064
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:1692
        
        C:\Program Files\Common Files\microsoft shared\VC\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\System Restore.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4888
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:4572
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:684
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:2332
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:1380
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        System policy modification
        
        PID:4656
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:3108
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:4836
        
        C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1728
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3472
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4428
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:1804
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:892
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:3556
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4668
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1396
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:1984
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1064
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2252
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        System policy modification
        
        PID:5068
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4056
        
        C:\Program Files\Common Files\System\msadc\en-US\update.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\update.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2564
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:4836
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4628
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:564
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:4760
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:4804
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2260
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3176
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:640
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:3800
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\data.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        System policy modification
        
        PID:4876
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4456
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4516
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Drops file in Program Files directory
        
        PID:4496
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:1640
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:4752
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        Disables RegEdit via registry modification
        
        PID:5044
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:4780
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:3520
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2948
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:3592
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:4948
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2808
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:5020
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:4804
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:3304
      - C:\Program Files\Internet Explorer\es-ES\update.exe
        
        "C:\Program Files\Internet Explorer\es-ES\update.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:5056
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:648
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1940
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:5028
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:3732
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1996
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:4404
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:2028
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:2916
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        Disables RegEdit via registry modification
        
        PID:404
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2008
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:4192
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        
        PID:3492
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:2276
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:1464
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        Drops file in Program Files directory
        
        PID:3676
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:4396
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:4932
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4364
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        
        PID:1512
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:4616
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:368
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        
        PID:2216
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        System policy modification
        
        PID:1988
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        
        PID:1380
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\
        9⤵
        
        PID:4988
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\
        9⤵
        
        PID:1980
        
        C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:3304
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        
        PID:1500
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:636
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4928
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:4164
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4588
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4396
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        Disables RegEdit via registry modification
        
        PID:3124
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        
        PID:1268
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        
        PID:2936
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        System policy modification
        
        PID:540
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\
        9⤵
        
        PID:2092
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        
        PID:2816
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\
        9⤵
        
        PID:384
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\
        9⤵
        
        PID:3944
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\
        9⤵
        
        PID:932
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\
        11⤵
        
        PID:3872
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3960
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:692
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\
        10⤵
        
        PID:232
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\
        9⤵
        
        PID:632
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\
        10⤵
        
        PID:2980
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\
        9⤵
        System policy modification
        
        PID:100
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        Drops file in Program Files directory
        
        PID:4752
        
        C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4164
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:3520
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        System policy modification
        
        PID:3088
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\update.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:4760
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4336
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        8⤵
        
        PID:1248
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        
        PID:1252
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4676
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        System policy modification
        
        PID:1748
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4056
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        System policy modification
        
        PID:4720
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4160
        
        C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:4136
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2768
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:692
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3160
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:1980
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:4940
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2332
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:2236
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\data.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\data.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        
        PID:3424
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3812
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:4028
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:1328
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4820
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4884
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\
        9⤵
        
        PID:4176
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4436
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        8⤵
        
        PID:4688
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\
        9⤵
        
        PID:1528
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\root\
        10⤵
        
        PID:2540
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DC05A1A0-27FF-461D-97D8-8B6AE7DE67E3\root\vfs\
        11⤵
        
        PID:1224
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:2984
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:1240
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Drops file in Program Files directory
        
        PID:5036
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:432
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:4172
      - C:\Program Files\Mozilla Firefox\defaults\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\System Restore.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:4844
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:3484
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:4564
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:2068
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:3016
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:3780
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:892
      - C:\Program Files\MSBuild\Microsoft\data.exe
        
        "C:\Program Files\MSBuild\Microsoft\data.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:1396
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:2812
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2652
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\update.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\update.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:1376
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:860
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:3268
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:4712
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:1676
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:4212
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:752
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:684
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1984
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2064
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:4648
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2172
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1976
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1384
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:3472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:5012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:4476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:1268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:5028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        
        PID:4044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Drops file in Program Files directory
        
        PID:2432
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:4964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:4528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:4004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:5028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:2836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:3268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4252
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        Drops file in Program Files directory
        
        PID:3680
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        
        PID:3548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:2972
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:4436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        
        PID:4836
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        
        PID:2748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        Drops file in Program Files directory
        
        PID:4380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:3852
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:3740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        
        PID:3176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        14⤵
        
        PID:4704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        12⤵
        Disables RegEdit via registry modification
        
        PID:3260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        13⤵
        
        PID:2856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        12⤵
        
        PID:1372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        13⤵
        Drops file in Program Files directory
        
        PID:4676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        14⤵
        
        PID:1324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        12⤵
        System policy modification
        
        PID:4168
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        14⤵
        Disables RegEdit via registry modification
        
        PID:3028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        12⤵
        Drops file in Program Files directory
        
        PID:1876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        13⤵
        System policy modification
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        14⤵
        Drops file in Program Files directory
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        15⤵
        
        PID:4624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        15⤵
        System policy modification
        
        PID:4740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        15⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:4888
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        15⤵
        Disables RegEdit via registry modification
        
        PID:2260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        15⤵
        System policy modification
        
        PID:576
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        15⤵
        
        PID:2884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        15⤵
        
        PID:1060
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        15⤵
        
        PID:1636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        
        PID:3448
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        13⤵
        
        PID:4604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        
        PID:3740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        13⤵
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        14⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        15⤵
        
        PID:5068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        15⤵
        
        PID:3976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
        12⤵
        
        PID:4300
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        13⤵
        
        PID:4124
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        14⤵
        
        PID:1092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
        13⤵
        Disables RegEdit via registry modification
        
        PID:4768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
        12⤵
        System policy modification
        
        PID:4436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        System policy modification
        
        PID:496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:5024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:2080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4436
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1716
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:4692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:1384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Disables RegEdit via registry modification
        
        PID:1000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:2252
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:4168
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:4616
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:4388
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:1800
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:1548
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:3764
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:2832
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:3676
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2152
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:1684
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        Disables RegEdit via registry modification
        
        PID:4464
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:4712
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:112
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:5112
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:1748
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        System policy modification
        
        PID:892
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        Drops file in Program Files directory
        
        PID:2092
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:3492
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:1180
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:3260
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        Drops file in Program Files directory
        
        PID:5048
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        System policy modification
        
        PID:3872
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:2012
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:2992
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:4420
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:1728
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:2472
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:1272
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:4768
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Disables RegEdit via registry modification
        
        PID:112
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4652
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:3852
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:1508
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:1988
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2748
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3644
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:3672
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:3420
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4872
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1812
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:3360
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        Disables RegEdit via registry modification
        
        PID:4640
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:3872
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        System policy modification
        
        PID:1996
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3956
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2236
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\data.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\data.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1268
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1256
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1324
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:3956
        
        C:\Program Files (x86)\Common Files\System\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1832
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:1744
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:2992
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:4884
      - C:\Program Files (x86)\Google\CrashReports\System Restore.exe
        
        "C:\Program Files (x86)\Google\CrashReports\System Restore.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:384
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3956
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:2104
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:1396
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3040
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:3092
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        System policy modification
        
        PID:2172
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Program Files (x86)\Google\Update\Install\{1797AC65-6EF7-4E18-8A69-EDA54C30FA4B}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{1797AC65-6EF7-4E18-8A69-EDA54C30FA4B}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{1797AC65-6EF7-4E18-8A69-EDA54C30FA4B}\
        8⤵
        
        PID:4880
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4752
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:4536
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:3592
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:648
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3996
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        System policy modification
        
        PID:5096
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2292
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:900
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4948
      - C:\Program Files (x86)\Microsoft\Edge\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:1800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        
        PID:4464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:4072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        
        PID:3572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        Disables RegEdit via registry modification
        
        PID:3592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:64
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:4708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:3884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        
        PID:3348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        9⤵
        
        PID:4820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:4708
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        Drops file in Program Files directory
        
        PID:4204
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:560
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:2060
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        System policy modification
        
        PID:456
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\
        9⤵
        
        PID:692
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        System policy modification
        
        PID:2380
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2816
    - - C:\Program Files (x86)\Microsoft.NET\data.exe
        
        "C:\Program Files (x86)\Microsoft.NET\data.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2380
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\System Restore.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:2728
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3268
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:2540
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\data.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\data.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:1652
    - - C:\Program Files (x86)\MSBuild\update.exe
        
        "C:\Program Files (x86)\MSBuild\update.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        Drops file in Program Files directory
        
        PID:2856
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        
        PID:4648
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\update.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\update.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        Disables RegEdit via registry modification
        
        PID:828
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\update.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\update.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:4804
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:4884
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        
        PID:2476
    - - C:\Program Files (x86)\Windows Defender\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\backup.exe" C:\Program Files (x86)\Windows Defender\
        5⤵
        
        PID:3364
  - - C:\Users\System Restore.exe
      "C:\Users\System Restore.exe" C:\Users\
      4⤵
      PID:3328
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2216
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:2444
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4992
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:3300
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        System policy modification
        
        PID:1876
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:1980
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:4396
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        Disables RegEdit via registry modification
        
        PID:688
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:788
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2396
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2228
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:5028
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:4400
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:788
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:4948
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2080
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2328
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4764
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:2836
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2540
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1804
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        System policy modification
        
        PID:2652
  - - C:\Windows\data.exe
      C:\Windows\data.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:3356
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2160
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:3120
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:1900
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4684
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:5008
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:4296
    - - C:\Windows\apppatch\update.exe
        
        C:\Windows\apppatch\update.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        
        PID:3932
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3948
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:640
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Disables RegEdit via registry modification
        
        PID:648
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        System policy modification
        
        PID:5112
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:5064
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:1652
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:4168
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:868
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:2936
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:3748
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:2632
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1584
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        System policy modification
        
        PID:4380
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:2080
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4688
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:2260
      - C:\Windows\assembly\GAC_32\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\System Restore.exe" C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:3028
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2984
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:1808
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2820
- C:\Users\Admin\AppData\Local\Temp\1122105658\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1122105658\backup.exe C:\Users\Admin\AppData\Local\Temp\1122105658\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3416
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3304
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4720
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\update.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\update.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:904

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2bc03c7454a37b91372de9dbf45937e9

SHA1
1e3f6f958d1e021ea3e4ebc2fa072f0809b11ff8

SHA256
100155d5b068713f71c132f40aab7d74cac6dfbc21a3499f1e2f0dc51e3f9602

SHA512
58128699e23356341ae02793113b00c70ca057a0347dc27d1971e9b1b8547f526c81dd1b5394001a8f7fdb2b3be2962a866af41b862c0e5a7c9338c10b35dd25

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2bc03c7454a37b91372de9dbf45937e9

SHA1
1e3f6f958d1e021ea3e4ebc2fa072f0809b11ff8

SHA256
100155d5b068713f71c132f40aab7d74cac6dfbc21a3499f1e2f0dc51e3f9602

SHA512
58128699e23356341ae02793113b00c70ca057a0347dc27d1971e9b1b8547f526c81dd1b5394001a8f7fdb2b3be2962a866af41b862c0e5a7c9338c10b35dd25

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
17d930f2286eb938d0b03f26ace67860

SHA1
1839dfe3a889932bbe7392f864e90d1a1b390f05

SHA256
5aa3bea29949e2a391101a8ca3775cf14197cffb25a2720a559398c478f4f5c9

SHA512
8d03a4aaf5befd37034738e26e02fe25bb670d4a782b99b10bc73f2b6b9a73bbccdc02cc7471443c18b7c208958f4a76dbd731270225381adb313ea585bc1c69

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
17d930f2286eb938d0b03f26ace67860

SHA1
1839dfe3a889932bbe7392f864e90d1a1b390f05

SHA256
5aa3bea29949e2a391101a8ca3775cf14197cffb25a2720a559398c478f4f5c9

SHA512
8d03a4aaf5befd37034738e26e02fe25bb670d4a782b99b10bc73f2b6b9a73bbccdc02cc7471443c18b7c208958f4a76dbd731270225381adb313ea585bc1c69

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
50886c283e69a9d3a7ca90a9f07e0dca

SHA1
4b3a09dc0dc4f8b9d7a40f7033b27ba37220b323

SHA256
568a695e04c48ee880a8c189e4a20beca91a55486d9910cd24587a6d2f16a822

SHA512
789ec9d070118a5aad9da6563fcb48cc6e6203bc544b8a314ea7bc199c83e497905b84f89854c8a1db4b0801c31b8e0f49d938ad38d0f5a94b5f797a43da8ac5

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
50886c283e69a9d3a7ca90a9f07e0dca

SHA1
4b3a09dc0dc4f8b9d7a40f7033b27ba37220b323

SHA256
568a695e04c48ee880a8c189e4a20beca91a55486d9910cd24587a6d2f16a822

SHA512
789ec9d070118a5aad9da6563fcb48cc6e6203bc544b8a314ea7bc199c83e497905b84f89854c8a1db4b0801c31b8e0f49d938ad38d0f5a94b5f797a43da8ac5

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
fe38dd800fa003fa6d29fbbf1bbe6d33

SHA1
9cf4969a83328924351b495a7a468724b93739f6

SHA256
605a8544b3fdda24c97303fda08eee7007631a84ff3650e9bd3beeb2f1a0f1b2

SHA512
7fc3b905a0cdb704b85a3df5585b876ed76dfb455863a83026375ba26ae0980ff3a334377b1519731bef916366ce698337a4664bf92774d8041b147565ad5e7a

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
fe38dd800fa003fa6d29fbbf1bbe6d33

SHA1
9cf4969a83328924351b495a7a468724b93739f6

SHA256
605a8544b3fdda24c97303fda08eee7007631a84ff3650e9bd3beeb2f1a0f1b2

SHA512
7fc3b905a0cdb704b85a3df5585b876ed76dfb455863a83026375ba26ae0980ff3a334377b1519731bef916366ce698337a4664bf92774d8041b147565ad5e7a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
dfc091a133079770e97efb9543ae3bc2

SHA1
9f1d8c5d0cd8e7951edd9cf22eac635afb1061be

SHA256
8fff330ab1ced082eb0dc99a2f469b741f48783d13899a7fe525cf124fa49c20

SHA512
29c1f213c7c93e937968555fd2858571148869c2941d11d5a593d9282a15ac4694586485bb4aca4fb54ecd49ab9bfb70fb31364747ccbd9de58e6cfb035f5b4b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
dfc091a133079770e97efb9543ae3bc2

SHA1
9f1d8c5d0cd8e7951edd9cf22eac635afb1061be

SHA256
8fff330ab1ced082eb0dc99a2f469b741f48783d13899a7fe525cf124fa49c20

SHA512
29c1f213c7c93e937968555fd2858571148869c2941d11d5a593d9282a15ac4694586485bb4aca4fb54ecd49ab9bfb70fb31364747ccbd9de58e6cfb035f5b4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
2b2ef68c6633492429852b62fcc5aabc

SHA1
b24d3f836aa51defc70f3b2d5c103d204f1332b8

SHA256
90568efefd167db8ed199ac74a695028d276784568158b92325fe97231c89768

SHA512
3535f52e94fff6ba3dcf279b2f07f12d9e77160d1ae49e71d4d4baba2930634da087c5b042f45eb955af5d85a906ffbb3f74edfef9d745b9a8f3e44da57677f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
2b2ef68c6633492429852b62fcc5aabc

SHA1
b24d3f836aa51defc70f3b2d5c103d204f1332b8

SHA256
90568efefd167db8ed199ac74a695028d276784568158b92325fe97231c89768

SHA512
3535f52e94fff6ba3dcf279b2f07f12d9e77160d1ae49e71d4d4baba2930634da087c5b042f45eb955af5d85a906ffbb3f74edfef9d745b9a8f3e44da57677f7

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
fe38dd800fa003fa6d29fbbf1bbe6d33

SHA1
9cf4969a83328924351b495a7a468724b93739f6

SHA256
605a8544b3fdda24c97303fda08eee7007631a84ff3650e9bd3beeb2f1a0f1b2

SHA512
7fc3b905a0cdb704b85a3df5585b876ed76dfb455863a83026375ba26ae0980ff3a334377b1519731bef916366ce698337a4664bf92774d8041b147565ad5e7a

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
fe38dd800fa003fa6d29fbbf1bbe6d33

SHA1
9cf4969a83328924351b495a7a468724b93739f6

SHA256
605a8544b3fdda24c97303fda08eee7007631a84ff3650e9bd3beeb2f1a0f1b2

SHA512
7fc3b905a0cdb704b85a3df5585b876ed76dfb455863a83026375ba26ae0980ff3a334377b1519731bef916366ce698337a4664bf92774d8041b147565ad5e7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2dc2c66a9c7afd597f7d0efd767d84ea

SHA1
358b13b17f0a38856b0aae781200f179b668fc12

SHA256
b7bb213cb554c8b3cc1e52cdb83a3dddcad06e8974a1bcd583f5def7dc0d80de

SHA512
6244e4db2ff43ab9370e24214b3bce5bc85e10969c3d2b4d78bbfa587d6103635bcb352b31652e8d6b7195df3fe19b258c43105a8762228134118dbd3378aa36

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
2dc2c66a9c7afd597f7d0efd767d84ea

SHA1
358b13b17f0a38856b0aae781200f179b668fc12

SHA256
b7bb213cb554c8b3cc1e52cdb83a3dddcad06e8974a1bcd583f5def7dc0d80de

SHA512
6244e4db2ff43ab9370e24214b3bce5bc85e10969c3d2b4d78bbfa587d6103635bcb352b31652e8d6b7195df3fe19b258c43105a8762228134118dbd3378aa36

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
4dd93b3fa92c08dc6be14f7e041ccea1

SHA1
8b16a4b84458c90696a0d7c070c35cab22f04dc3

SHA256
b21445b0a0601805b9fcb921f226553673c321288075a7871e2c73dd775aa9ec

SHA512
342a8a25d62306ed48a1f2a47671460139263b8c62dc57e476c44bd3701d8fa49a527bd267714a4fc4d0492c71705664d6ff1c4a63f5ab95cfc094dce9c44f2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
4dd93b3fa92c08dc6be14f7e041ccea1

SHA1
8b16a4b84458c90696a0d7c070c35cab22f04dc3

SHA256
b21445b0a0601805b9fcb921f226553673c321288075a7871e2c73dd775aa9ec

SHA512
342a8a25d62306ed48a1f2a47671460139263b8c62dc57e476c44bd3701d8fa49a527bd267714a4fc4d0492c71705664d6ff1c4a63f5ab95cfc094dce9c44f2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
4dd93b3fa92c08dc6be14f7e041ccea1

SHA1
8b16a4b84458c90696a0d7c070c35cab22f04dc3

SHA256
b21445b0a0601805b9fcb921f226553673c321288075a7871e2c73dd775aa9ec

SHA512
342a8a25d62306ed48a1f2a47671460139263b8c62dc57e476c44bd3701d8fa49a527bd267714a4fc4d0492c71705664d6ff1c4a63f5ab95cfc094dce9c44f2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
4dd93b3fa92c08dc6be14f7e041ccea1

SHA1
8b16a4b84458c90696a0d7c070c35cab22f04dc3

SHA256
b21445b0a0601805b9fcb921f226553673c321288075a7871e2c73dd775aa9ec

SHA512
342a8a25d62306ed48a1f2a47671460139263b8c62dc57e476c44bd3701d8fa49a527bd267714a4fc4d0492c71705664d6ff1c4a63f5ab95cfc094dce9c44f2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
4dd93b3fa92c08dc6be14f7e041ccea1

SHA1
8b16a4b84458c90696a0d7c070c35cab22f04dc3

SHA256
b21445b0a0601805b9fcb921f226553673c321288075a7871e2c73dd775aa9ec

SHA512
342a8a25d62306ed48a1f2a47671460139263b8c62dc57e476c44bd3701d8fa49a527bd267714a4fc4d0492c71705664d6ff1c4a63f5ab95cfc094dce9c44f2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
72KB

MD5
4dd93b3fa92c08dc6be14f7e041ccea1

SHA1
8b16a4b84458c90696a0d7c070c35cab22f04dc3

SHA256
b21445b0a0601805b9fcb921f226553673c321288075a7871e2c73dd775aa9ec

SHA512
342a8a25d62306ed48a1f2a47671460139263b8c62dc57e476c44bd3701d8fa49a527bd267714a4fc4d0492c71705664d6ff1c4a63f5ab95cfc094dce9c44f2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\System Restore.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\update.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\update.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
c3de1306e78e9f1ca910229dcb6a124c

SHA1
980e93f286405f227a1d5bc76b1c2a911bfa861a

SHA256
3f05c67e6c4c0172716e9cb770699b50949bf530b0de468733b2bd28134aeb09

SHA512
b7d1cd7538b4ebeb73a662c7fba05a4eb474ef010c7cc02b90bd487bc17d3c3944cc3ef23a9c81079ab2db397be214a469e2b57e901866bffd19d6d790878457

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\update.exe

Filesize
72KB

MD5
2b2ef68c6633492429852b62fcc5aabc

SHA1
b24d3f836aa51defc70f3b2d5c103d204f1332b8

SHA256
90568efefd167db8ed199ac74a695028d276784568158b92325fe97231c89768

SHA512
3535f52e94fff6ba3dcf279b2f07f12d9e77160d1ae49e71d4d4baba2930634da087c5b042f45eb955af5d85a906ffbb3f74edfef9d745b9a8f3e44da57677f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\update.exe

Filesize
72KB

MD5
2b2ef68c6633492429852b62fcc5aabc

SHA1
b24d3f836aa51defc70f3b2d5c103d204f1332b8

SHA256
90568efefd167db8ed199ac74a695028d276784568158b92325fe97231c89768

SHA512
3535f52e94fff6ba3dcf279b2f07f12d9e77160d1ae49e71d4d4baba2930634da087c5b042f45eb955af5d85a906ffbb3f74edfef9d745b9a8f3e44da57677f7

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2bc03c7454a37b91372de9dbf45937e9

SHA1
1e3f6f958d1e021ea3e4ebc2fa072f0809b11ff8

SHA256
100155d5b068713f71c132f40aab7d74cac6dfbc21a3499f1e2f0dc51e3f9602

SHA512
58128699e23356341ae02793113b00c70ca057a0347dc27d1971e9b1b8547f526c81dd1b5394001a8f7fdb2b3be2962a866af41b862c0e5a7c9338c10b35dd25

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2bc03c7454a37b91372de9dbf45937e9

SHA1
1e3f6f958d1e021ea3e4ebc2fa072f0809b11ff8

SHA256
100155d5b068713f71c132f40aab7d74cac6dfbc21a3499f1e2f0dc51e3f9602

SHA512
58128699e23356341ae02793113b00c70ca057a0347dc27d1971e9b1b8547f526c81dd1b5394001a8f7fdb2b3be2962a866af41b862c0e5a7c9338c10b35dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1122105658\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1122105658\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1122105658\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\data.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
72KB

MD5
dc97e3b71115ad7d0c8e2dc377be14f3

SHA1
4294a95cf5d1557c89f8e469ea6157318e2e8678

SHA256
70c864897c25e917acc94f2b63fbbabe6751cbfc51d52263492bd237b24d0e38

SHA512
8f87e7cbb5e56485340893fc8116d24d7a2970fbad54dd0a3d93a493d91f98c99ec74f40f86d372cb9947e7c9ef4dfd4e5b5ae565de3b1d6a7275eb7e9aa8b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
72KB

MD5
dc97e3b71115ad7d0c8e2dc377be14f3

SHA1
4294a95cf5d1557c89f8e469ea6157318e2e8678

SHA256
70c864897c25e917acc94f2b63fbbabe6751cbfc51d52263492bd237b24d0e38

SHA512
8f87e7cbb5e56485340893fc8116d24d7a2970fbad54dd0a3d93a493d91f98c99ec74f40f86d372cb9947e7c9ef4dfd4e5b5ae565de3b1d6a7275eb7e9aa8b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\update.exe

Filesize
72KB

MD5
9634147188ef86e070c7ef0e90b32a02

SHA1
1bccdddd52833890388984f5bba1f6b9b6e85510

SHA256
dcae27614434be4035ce7f6bde5251e5aec4d176a51ef4b1a0bb3e730ea8a5ee

SHA512
c8907c1eaca6d0ba38abe801e1c9d03fda220d077c5adfe1129728e2e6898c023da0902947221217d3b5e177a1ab5d45b66eec501ad59d0ac9dd1b0eb514e571

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\update.exe

Filesize
72KB

MD5
9634147188ef86e070c7ef0e90b32a02

SHA1
1bccdddd52833890388984f5bba1f6b9b6e85510

SHA256
dcae27614434be4035ce7f6bde5251e5aec4d176a51ef4b1a0bb3e730ea8a5ee

SHA512
c8907c1eaca6d0ba38abe801e1c9d03fda220d077c5adfe1129728e2e6898c023da0902947221217d3b5e177a1ab5d45b66eec501ad59d0ac9dd1b0eb514e571

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
f30e7cec8be6bc8120d9d0b1d3698c55

SHA1
f7eb8aa0c050abc6b8d31dee58db2248be22dc88

SHA256
35bbc3540d5721013ed89a4772eb6a675adda88f206c4a00bb31c6daee5ff180

SHA512
97f1130932357087de3bc6dca93084f92329cb6f52de2c1501ffeeec1aedd38cbc90b1562ec3b9552b8b851dbfdc45d98b7a67288315e8fd01a568df54b4404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
6688ff136b1afe2254892994af3cc069

SHA1
e449e0460ae7c7f6b8f67c662e13da68490bf009

SHA256
0cd6cdf909380bf3d53ed4145d30d0644e22f73c977513b05826485a750a64ce

SHA512
be2c756337681077cf4471a1889c7b34870fef731e73f5de7b3121125668159b002dd31f3077ec10cb7d55684198978e9b2366c173c41e8c89154ee7451caa1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AE1D4D88-3049-4A83-A1FC-D8CA1DA97038}\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AE1D4D88-3049-4A83-A1FC-D8CA1DA97038}\backup.exe

Filesize
72KB

MD5
33f7ade19e8caf4f93276ea4e9611930

SHA1
fd55f4c6c56dc30026dec0af849163d5b7408346

SHA256
3af0a6e06f7ef55bcaf122116533efa4bd8ab36bdfae081d3947a1000314b40d

SHA512
6151aacbcf2929b2991433fa3239931e06b3290603c1a36a494b75b186d8ebe477eef8cdc0ee1b7fb7695ba81f36de5b2ea2ad25878d4d2bd2002334f04e9ac9

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0357b3f7e62d536a793fd90e354e43bf

SHA1
9ac73ba0c4d182444e2a63d3494731c93c2f085f

SHA256
53181ea0c0581a1eb4bd5ded9df87436541065261e64c3b7519114030c4e090e

SHA512
857299d3ed5bca307225abdb209fb11343d7d71c14093727a8a105414f8b0d7d63d7b4fc0d942ffd5b9c3800adef7e411fd3bd451ada07f75b4ae2e1853dc9e0

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0357b3f7e62d536a793fd90e354e43bf

SHA1
9ac73ba0c4d182444e2a63d3494731c93c2f085f

SHA256
53181ea0c0581a1eb4bd5ded9df87436541065261e64c3b7519114030c4e090e

SHA512
857299d3ed5bca307225abdb209fb11343d7d71c14093727a8a105414f8b0d7d63d7b4fc0d942ffd5b9c3800adef7e411fd3bd451ada07f75b4ae2e1853dc9e0

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
2bc03c7454a37b91372de9dbf45937e9

SHA1
1e3f6f958d1e021ea3e4ebc2fa072f0809b11ff8

SHA256
100155d5b068713f71c132f40aab7d74cac6dfbc21a3499f1e2f0dc51e3f9602

SHA512
58128699e23356341ae02793113b00c70ca057a0347dc27d1971e9b1b8547f526c81dd1b5394001a8f7fdb2b3be2962a866af41b862c0e5a7c9338c10b35dd25

Download Submit
C:\odt\backup.exe

Filesize
72KB

MD5
2bc03c7454a37b91372de9dbf45937e9

SHA1
1e3f6f958d1e021ea3e4ebc2fa072f0809b11ff8

SHA256
100155d5b068713f71c132f40aab7d74cac6dfbc21a3499f1e2f0dc51e3f9602

SHA512
58128699e23356341ae02793113b00c70ca057a0347dc27d1971e9b1b8547f526c81dd1b5394001a8f7fdb2b3be2962a866af41b862c0e5a7c9338c10b35dd25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads