fed5f43d54a794688cc827e0a4139b5bfa95ae0c657e017ed72dc1af0c52f98b

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa7525469b461db1247c4abc8d4eff0_JC.exe
Size

40KB
MD5

dfa7525469b461db1247c4abc8d4eff0
SHA1

51425c11c148ff73861b1d3af96c108d6935d3ad
SHA256

fed5f43d54a794688cc827e0a4139b5bfa95ae0c657e017ed72dc1af0c52f98b
SHA512

56ac4bb7c7f0fb1ecd8fe75e2f92ac39012c0a2f8cdaca232d4614970bc2158da14dac5b45e857f01aebf63eecd7d82a4bd54dbf5dc62e3b87fd03623d8ce1ee
SSDEEP

384:kqnuO1JCHYdHz4XpfHEI6/dDEPjaVC6fMbUyFm0tyXLBI89wvuAv1mwnA3Z3BXRo:kqnum1F6/789ujYTyLylze70wi3BEmIP

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 48 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dfa7525469b461db1247c4abc8d4eff0_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 51 IoCs

pid	Process
2728	backup.exe
3808	backup.exe
2064	backup.exe
3672	backup.exe
4112	backup.exe
2644	backup.exe
2096	backup.exe
3288	backup.exe
4120	backup.exe
1088	backup.exe
5048	backup.exe
3188	backup.exe
3196	backup.exe
3048	backup.exe
1000	backup.exe
3540	backup.exe
4932	System Restore.exe
4248	backup.exe
3384	System Restore.exe
2980	backup.exe
4940	backup.exe
2484	backup.exe
2176	backup.exe
5020	backup.exe
2844	backup.exe
4520	backup.exe
640	backup.exe
3952	backup.exe
4920	backup.exe
3740	backup.exe
1148	backup.exe
4632	backup.exe
4728	backup.exe
4528	backup.exe
1688	backup.exe
1724	backup.exe
4924	backup.exe
3808	backup.exe
4004	backup.exe
2712	backup.exe
1504	backup.exe
2396	backup.exe
3856	backup.exe
1316	backup.exe
3892	backup.exe
4976	backup.exe
3752	backup.exe
3392	backup.exe
5008	backup.exe
1176	update.exe
3232	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4980-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x000600000002323d-7.dat	upx
behavioral2/files/0x000600000002323d-6.dat	upx
behavioral2/files/0x000600000002323f-12.dat	upx
behavioral2/files/0x000600000002323f-11.dat	upx
behavioral2/files/0x000600000002323f-13.dat	upx
behavioral2/files/0x0007000000023241-18.dat	upx
behavioral2/files/0x0007000000023241-19.dat	upx
behavioral2/memory/3808-20-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000023239-25.dat	upx
behavioral2/files/0x0007000000023239-26.dat	upx
behavioral2/memory/3672-30-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000023244-32.dat	upx
behavioral2/files/0x0007000000023244-33.dat	upx
behavioral2/files/0x0006000000023246-38.dat	upx
behavioral2/files/0x0006000000023246-39.dat	upx
behavioral2/memory/2644-40-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000023247-44.dat	upx
behavioral2/files/0x0006000000023247-45.dat	upx
behavioral2/memory/2644-53-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000023248-55.dat	upx
behavioral2/files/0x0007000000023248-52.dat	upx
behavioral2/memory/4120-58-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x000600000002324a-56.dat	upx
behavioral2/files/0x000600000002324a-57.dat	upx
behavioral2/memory/4120-65-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/3288-68-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x000700000002324c-69.dat	upx
behavioral2/files/0x000700000002324c-72.dat	upx
behavioral2/memory/4980-71-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x000700000002324b-70.dat	upx
behavioral2/memory/2728-73-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x000700000002324b-74.dat	upx
behavioral2/memory/1088-80-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/5048-83-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x000700000002324d-82.dat	upx
behavioral2/files/0x000700000002324e-86.dat	upx
behavioral2/files/0x000700000002324d-89.dat	upx
behavioral2/files/0x000700000002324e-88.dat	upx
behavioral2/memory/2064-87-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000023251-97.dat	upx
behavioral2/files/0x0006000000023251-100.dat	upx
behavioral2/files/0x0006000000023252-101.dat	upx
behavioral2/memory/4112-102-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000023252-99.dat	upx
behavioral2/files/0x0006000000023255-110.dat	upx
behavioral2/files/0x0006000000023255-111.dat	upx
behavioral2/memory/2096-114-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000023256-113.dat	upx
behavioral2/files/0x0006000000023256-115.dat	upx
behavioral2/memory/3188-121-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/3048-126-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1000-128-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000023253-130.dat	upx
behavioral2/files/0x0007000000023253-132.dat	upx
behavioral2/files/0x000700000002324f-131.dat	upx
behavioral2/files/0x000700000002324f-129.dat	upx
behavioral2/memory/3540-127-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4932-123-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000023259-142.dat	upx
behavioral2/files/0x0007000000023258-141.dat	upx
behavioral2/files/0x0007000000023258-144.dat	upx
behavioral2/files/0x0006000000023259-143.dat	upx
behavioral2/memory/2980-149-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe
2728	backup.exe
3808	backup.exe
2064	backup.exe
3672	backup.exe
4112	backup.exe
2644	backup.exe
2096	backup.exe
3288	backup.exe
4120	backup.exe
1088	backup.exe
5048	backup.exe
3196	backup.exe
3188	backup.exe
1000	backup.exe
3048	backup.exe
4932	System Restore.exe
3540	backup.exe
4248	backup.exe
3384	System Restore.exe
2980	backup.exe
4940	backup.exe
2176	backup.exe
2484	backup.exe
5020	backup.exe
2844	backup.exe
4520	backup.exe
640	backup.exe
3952	backup.exe
4920	backup.exe
3740	backup.exe
1148	backup.exe
4632	backup.exe
4728	backup.exe
4528	backup.exe
1688	backup.exe
4924	backup.exe
1724	backup.exe
3808	backup.exe
4004	backup.exe
2712	backup.exe
1504	backup.exe
2396	backup.exe
3856	backup.exe
1316	backup.exe
3892	backup.exe
4976	backup.exe
3752	backup.exe
3392	backup.exe
5008	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2728	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	82
PID 4980 wrote to memory of 2728	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	82
PID 4980 wrote to memory of 2728	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	82
PID 4980 wrote to memory of 3808	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	84
PID 4980 wrote to memory of 3808	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	84
PID 4980 wrote to memory of 3808	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	84
PID 4980 wrote to memory of 2064	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	85
PID 4980 wrote to memory of 2064	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	85
PID 4980 wrote to memory of 2064	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	85
PID 4980 wrote to memory of 3672	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	86
PID 4980 wrote to memory of 3672	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	86
PID 4980 wrote to memory of 3672	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	86
PID 4980 wrote to memory of 4112	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	87
PID 4980 wrote to memory of 4112	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	87
PID 4980 wrote to memory of 4112	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	87
PID 4980 wrote to memory of 2644	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	88
PID 4980 wrote to memory of 2644	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	88
PID 4980 wrote to memory of 2644	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	88
PID 2728 wrote to memory of 2096	2728	backup.exe	89
PID 2728 wrote to memory of 2096	2728	backup.exe	89
PID 2728 wrote to memory of 2096	2728	backup.exe	89
PID 4980 wrote to memory of 3288	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	90
PID 4980 wrote to memory of 3288	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	90
PID 4980 wrote to memory of 3288	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	90
PID 2096 wrote to memory of 4120	2096	backup.exe	91
PID 2096 wrote to memory of 4120	2096	backup.exe	91
PID 2096 wrote to memory of 4120	2096	backup.exe	91
PID 2096 wrote to memory of 5048	2096	backup.exe	92
PID 2096 wrote to memory of 5048	2096	backup.exe	92
PID 2096 wrote to memory of 5048	2096	backup.exe	92
PID 4980 wrote to memory of 1088	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	93
PID 4980 wrote to memory of 1088	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	93
PID 4980 wrote to memory of 1088	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	93
PID 4980 wrote to memory of 3188	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	94
PID 4980 wrote to memory of 3188	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	94
PID 4980 wrote to memory of 3188	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	94
PID 2096 wrote to memory of 3196	2096	backup.exe	95
PID 2096 wrote to memory of 3196	2096	backup.exe	95
PID 2096 wrote to memory of 3196	2096	backup.exe	95
PID 3188 wrote to memory of 3048	3188	backup.exe	96
PID 3188 wrote to memory of 3048	3188	backup.exe	96
PID 3188 wrote to memory of 3048	3188	backup.exe	96
PID 3196 wrote to memory of 1000	3196	backup.exe	97
PID 3196 wrote to memory of 1000	3196	backup.exe	97
PID 3196 wrote to memory of 1000	3196	backup.exe	97
PID 1000 wrote to memory of 3540	1000	backup.exe	98
PID 1000 wrote to memory of 3540	1000	backup.exe	98
PID 1000 wrote to memory of 3540	1000	backup.exe	98
PID 3048 wrote to memory of 4932	3048	backup.exe	99
PID 3048 wrote to memory of 4932	3048	backup.exe	99
PID 3048 wrote to memory of 4932	3048	backup.exe	99
PID 4980 wrote to memory of 4248	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	101
PID 4980 wrote to memory of 4248	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	101
PID 4980 wrote to memory of 4248	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	101
PID 3196 wrote to memory of 3384	3196	backup.exe	100
PID 3196 wrote to memory of 3384	3196	backup.exe	100
PID 3196 wrote to memory of 3384	3196	backup.exe	100
PID 4248 wrote to memory of 2980	4248	backup.exe	139
PID 4248 wrote to memory of 2980	4248	backup.exe	139
PID 4248 wrote to memory of 2980	4248	backup.exe	139
PID 3384 wrote to memory of 4940	3384	System Restore.exe	103
PID 3384 wrote to memory of 4940	3384	System Restore.exe	103
PID 3384 wrote to memory of 4940	3384	System Restore.exe	103
PID 4980 wrote to memory of 2484	4980	dfa7525469b461db1247c4abc8d4eff0_JC.exe	104

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfa7525469b461db1247c4abc8d4eff0_JC.exe

C:\Users\Admin\AppData\Local\Temp\dfa7525469b461db1247c4abc8d4eff0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dfa7525469b461db1247c4abc8d4eff0_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4980
- C:\Users\Admin\AppData\Local\Temp\{BE42800B-C9A4-4E6E-B69C-BFA047D5726A}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{BE42800B-C9A4-4E6E-B69C-BFA047D5726A}\backup.exe C:\Users\Admin\AppData\Local\Temp\{BE42800B-C9A4-4E6E-B69C-BFA047D5726A}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2728
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2096
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4120
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:5048
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3196
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1000
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3540
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3384
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4940
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2176
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        
        PID:2844
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:640
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        
        PID:4920
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4728
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        9⤵
        
        PID:5408
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\
        9⤵
        
        PID:2376
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:4924
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        
        PID:3808
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2712
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2396
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1316
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4976
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        
        PID:5008
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        
        PID:4108
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:3844
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2980
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        
        PID:404
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        
        PID:1608
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        
        PID:3884
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        
        PID:2472
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        
        PID:1492
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:4704
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        
        PID:4464
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:4648
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        
        PID:624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        10⤵
        
        PID:372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        10⤵
        
        PID:5152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        10⤵
        
        PID:1264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        10⤵
        
        PID:3872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        10⤵
        
        PID:212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        10⤵
        
        PID:3108
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:2452
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        
        PID:3352
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        
        PID:1016
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
        9⤵
        
        PID:3036
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        
        PID:5048
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:3228
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\
        9⤵
        
        PID:4336
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\data.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\
        9⤵
        
        PID:5188
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\
        9⤵
        
        PID:6040
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:4468
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1628
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        
        PID:456
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        
        PID:728
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        
        PID:1968
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        
        PID:3288
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        
        PID:2232
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        
        PID:1780
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        
        PID:880
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        
        PID:4424
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        
        PID:3444
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        
        PID:876
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        9⤵
        
        PID:3448
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        10⤵
        
        PID:5540
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        9⤵
        
        PID:4632
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        
        PID:636
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:1780
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:4704
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:828
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:3652
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        
        PID:3724
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:4760
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:2420
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:236
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:3352
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:4880
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:404
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:1312
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4336
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\update.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        
        PID:4136
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:3288
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\82E8C137-863C-4609-9874-1F1419EBDDE7\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\82E8C137-863C-4609-9874-1F1419EBDDE7\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\82E8C137-863C-4609-9874-1F1419EBDDE7\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        9⤵
        
        PID:4924
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C82D344-D562-4E56-97D6-8E949E6EFB92}\EDGEMITMP_2F938.tmp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C82D344-D562-4E56-97D6-8E949E6EFB92}\EDGEMITMP_2F938.tmp\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5C82D344-D562-4E56-97D6-8E949E6EFB92}\EDGEMITMP_2F938.tmp\
        9⤵
        
        PID:3712
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:4048
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3740
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:392
        
        C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:4544
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:2540
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:2032
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        
        PID:2952
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        
        PID:4784
        
        C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:236
        
        C:\Program Files\Common Files\microsoft shared\VSTO\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\update.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:3056
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:3792
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:880
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\
        7⤵
        
        PID:5940
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\
        7⤵
        
        PID:5584
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1612
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2136
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:3416
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:232
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:4988
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2844
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4544
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:4356
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:4892
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1000
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1820
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:4924
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2368
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:3056
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:3312
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:240
        
        C:\Program Files\Common Files\System\msadc\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\update.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:4560
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1740
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:3088
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:3312
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4924
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:2652
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:3684
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2132
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:4140
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3080
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:4720
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\update.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:3956
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2896
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:4184
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:3380
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:4784
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:3660
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:3312
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:5008
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:3712
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:3956
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:2800
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:3612
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:3332
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3752
        
        C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\EBWebView\x86\
        12⤵
        
        PID:3380
        
        C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\amd64\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
        10⤵
        
        PID:4656
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3952
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:5080
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:3376
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:4832
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1228
      - C:\Program Files\Internet Explorer\fr-FR\update.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\update.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2472
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:3888
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:3980
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2960
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4520
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2116
      - C:\Program Files\Java\jdk1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
        6⤵
        
        PID:4260
        
        C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
        7⤵
        
        PID:3384
        
        C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
        7⤵
        
        PID:3592
        
        C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
        8⤵
        
        PID:1680
        
        C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
        8⤵
        
        PID:4100
        
        C:\Program Files\Java\jdk1.8.0_66\include\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\
        7⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
        8⤵
        
        PID:1312
        
        C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\update.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
        9⤵
        
        PID:3840
        
        C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
        7⤵
        
        PID:3736
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
        8⤵
        
        PID:2132
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
        9⤵
        
        PID:3840
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
        9⤵
        
        PID:2280
        
        C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
        9⤵
        
        PID:2056
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
        8⤵
        
        PID:3976
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
        9⤵
        
        PID:2064
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\
        9⤵
        
        PID:2800
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\
        9⤵
        
        PID:3036
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\
        9⤵
        
        PID:528
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\
        9⤵
        
        PID:3396
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\
        9⤵
        
        PID:3876
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\
        9⤵
        
        PID:3816
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\
        9⤵
        
        PID:4456
        
        C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\
        9⤵
        
        PID:832
        
        C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
        7⤵
        
        PID:4116
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
        8⤵
        
        PID:2392
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
        9⤵
        
        PID:3880
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        
        PID:4912
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:3376
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
        9⤵
        
        PID:752
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\
        9⤵
        
        PID:528
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:4672
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        
        PID:4484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        11⤵
        
        PID:4440
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\update.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:372
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
        11⤵
        
        PID:5648
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
        10⤵
        
        PID:5064
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
        10⤵
        
        PID:5572
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\System Restore.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
        11⤵
        
        PID:2364
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:4940
        
        C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\
        8⤵
        
        PID:1872
      - C:\Program Files\Java\jre1.8.0_66\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
        6⤵
        
        PID:1764
        
        C:\Program Files\Java\jre1.8.0_66\bin\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\update.exe" C:\Program Files\Java\jre1.8.0_66\bin\
        7⤵
        
        PID:4928
        
        C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\data.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\data.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
        8⤵
        
        PID:1228
        
        C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
        8⤵
        
        PID:2468
        
        C:\Program Files\Java\jre1.8.0_66\bin\server\update.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\server\update.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
        8⤵
        
        PID:2860
        
        C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
        7⤵
        
        PID:3612
        
        C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\applet\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\applet\
        8⤵
        
        PID:3040
        
        C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\cmm\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\cmm\
        8⤵
        
        PID:4928
        
        C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\deploy\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\deploy\
        8⤵
        
        PID:3192
        
        C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\fonts\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\fonts\
        8⤵
        
        PID:3212
        
        C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
        9⤵
        
        PID:5864
        
        C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\ext\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\ext\
        8⤵
        
        PID:3244
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\
        8⤵
        
        PID:3644
        
        C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\
        9⤵
        
        PID:4448
        
        C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\management\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\management\
        8⤵
        
        PID:4672
        
        C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\jfr\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\jfr\
        8⤵
        
        PID:3424
        
        C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe
        
        "C:\Program Files\Java\jre1.8.0_66\lib\security\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\security\
        8⤵
        
        PID:5020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        7⤵
        
        PID:3404
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1776
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:4716
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:1608
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:3968
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:512
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        
        PID:2700
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:3980
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:5024
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:4712
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:4332
        
        C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        7⤵
        
        PID:4920
        
        C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3892
        
        C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        7⤵
        
        PID:4332
        
        C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        7⤵
        
        PID:2256
        
        C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        7⤵
        
        PID:2536
        
        C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        7⤵
        
        PID:2448
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        8⤵
        
        PID:6044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        8⤵
        
        PID:5336
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
        8⤵
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        8⤵
        
        PID:680
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        8⤵
        
        PID:5072
        
        C:\Program Files\Microsoft Office\root\vreg\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vreg\backup.exe" C:\Program Files\Microsoft Office\root\vreg\
        7⤵
        
        PID:5836
      - C:\Program Files\Microsoft Office\Updates\update.exe
        
        "C:\Program Files\Microsoft Office\Updates\update.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        
        PID:4468
        
        C:\Program Files\Microsoft Office\Updates\Apply\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\data.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:4364
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        8⤵
        
        PID:4808
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\82E8C137-863C-4609-9874-1F1419EBDDE7\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\82E8C137-863C-4609-9874-1F1419EBDDE7\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\82E8C137-863C-4609-9874-1F1419EBDDE7\
        9⤵
        
        PID:4104
        
        C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        7⤵
        
        PID:1780
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        
        PID:4164
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:3256
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        7⤵
        
        PID:380
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        7⤵
        
        PID:5556
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        7⤵
        
        PID:1284
    - - C:\Program Files\Mozilla Firefox\update.exe
        
        "C:\Program Files\Mozilla Firefox\update.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2952
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1948
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:2236
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:5076
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:4828
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:1128
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        7⤵
        
        PID:4136
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:3980
    - - C:\Program Files\MSBuild\data.exe
        
        "C:\Program Files\MSBuild\data.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:5036
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:4544
    - - C:\Program Files\Reference Assemblies\data.exe
        
        "C:\Program Files\Reference Assemblies\data.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:4500
      - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        
        PID:4320
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
        6⤵
        
        PID:5256
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        
        PID:4848
    - - C:\Program Files\Windows Media Player\backup.exe
        
        "C:\Program Files\Windows Media Player\backup.exe" C:\Program Files\Windows Media Player\
        5⤵
        
        PID:1660
      - C:\Program Files\Windows Media Player\en-US\backup.exe
        
        "C:\Program Files\Windows Media Player\en-US\backup.exe" C:\Program Files\Windows Media Player\en-US\
        6⤵
        
        PID:5476
      - C:\Program Files\Windows Media Player\es-ES\backup.exe
        
        "C:\Program Files\Windows Media Player\es-ES\backup.exe" C:\Program Files\Windows Media Player\es-ES\
        6⤵
        
        PID:876
      - C:\Program Files\Windows Media Player\it-IT\backup.exe
        
        "C:\Program Files\Windows Media Player\it-IT\backup.exe" C:\Program Files\Windows Media Player\it-IT\
        6⤵
        
        PID:960
      - C:\Program Files\Windows Media Player\ja-JP\backup.exe
        
        "C:\Program Files\Windows Media Player\ja-JP\backup.exe" C:\Program Files\Windows Media Player\ja-JP\
        6⤵
        
        PID:2284
    - - C:\Program Files\Windows Multimedia Platform\backup.exe
        
        "C:\Program Files\Windows Multimedia Platform\backup.exe" C:\Program Files\Windows Multimedia Platform\
        5⤵
        
        PID:2928
    - - C:\Program Files\Windows NT\backup.exe
        
        "C:\Program Files\Windows NT\backup.exe" C:\Program Files\Windows NT\
        5⤵
        
        PID:3228
    - - C:\Program Files\Windows Photo Viewer\backup.exe
        
        "C:\Program Files\Windows Photo Viewer\backup.exe" C:\Program Files\Windows Photo Viewer\
        5⤵
        
        PID:5236
  - - C:\Program Files (x86)\update.exe
      "C:\Program Files (x86)\update.exe" C:\Program Files (x86)\
      4⤵
      PID:4452
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:3684
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:3324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:2636
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:2420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:2180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:2376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:2132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:4832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:3368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:3880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:1856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:4656
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:5100
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        9⤵
        
        PID:3188
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:3396
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:372
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:3040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5008
        
        C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        10⤵
        
        PID:1912
        
        C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        11⤵
        
        PID:1948
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\
        11⤵
        
        PID:6036
        
        C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\
        12⤵
        
        PID:5252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        10⤵
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        10⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
        10⤵
        
        PID:3796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:5068
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:3388
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:2992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:4132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:3324
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        
        PID:4204
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        13⤵
        
        PID:1500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        14⤵
        
        PID:5112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        12⤵
        
        PID:4464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        13⤵
        
        PID:1740
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        14⤵
        
        PID:4524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        14⤵
        
        PID:60
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        12⤵
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
        13⤵
        
        PID:4288
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
        14⤵
        
        PID:4924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        
        PID:4164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        
        PID:4996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        
        PID:4912
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        12⤵
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        11⤵
        
        PID:3616
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        12⤵
        
        PID:2112
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        12⤵
        
        PID:5400
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        13⤵
        
        PID:3512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        12⤵
        
        PID:3856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        13⤵
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\
        13⤵
        
        PID:3676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
        12⤵
        
        PID:5704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
        12⤵
        
        PID:1320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\
        12⤵
        
        PID:5980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4936
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:4164
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:1800
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:4484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:3328
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:3380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:3712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:3212
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:3492
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:4808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4428
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2740
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1308
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2700
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:3512
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:3220
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:1456
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:1128
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:2448
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:4356
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:4900
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:3376
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:960
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:2952
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        
        PID:1452
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        
        PID:3792
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:2188
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:880
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:408
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:456
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:232
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:3668
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        
        PID:3188
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:2464
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:1132
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:2156
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:2900
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:2420
      - C:\Program Files (x86)\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:2844
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:4204
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:5064
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:1456
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:2800
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:3876
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2468
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:4528
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:4720
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        8⤵
        
        PID:2652
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:3848
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:3264
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:4784
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2056
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:3724
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2088
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2236
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1912
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:4112
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1128
      - C:\Program Files (x86)\Common Files\Services\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Services\System Restore.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:4584
      - C:\Program Files (x86)\Common Files\System\data.exe
        
        "C:\Program Files (x86)\Common Files\System\data.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:880
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:3340
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1516
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:2096
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\update.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\update.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:3192
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1116
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1820
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:3152
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:4444
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:1112
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:796
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:456
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1492
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2740
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:4700
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:4928
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2960
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\
        7⤵
        
        PID:4828
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        7⤵
        
        PID:1160
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\data.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\data.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        7⤵
        
        PID:4960
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1800
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\data.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\data.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:2468
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3980
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:2112
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:3192
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:372
        
        C:\Program Files (x86)\Google\Update\Install\{FEA04266-D93C-4034-8118-4E82D93D05AB}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{FEA04266-D93C-4034-8118-4E82D93D05AB}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{FEA04266-D93C-4034-8118-4E82D93D05AB}\
        8⤵
        
        PID:680
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:4448
        
        C:\Program Files (x86)\Windows Media Player\en-US\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\en-US\backup.exe" C:\Program Files (x86)\Windows Media Player\en-US\
        7⤵
        
        PID:5116
        
        C:\Program Files (x86)\Windows Media Player\es-ES\update.exe
        
        "C:\Program Files (x86)\Windows Media Player\es-ES\update.exe" C:\Program Files (x86)\Windows Media Player\es-ES\
        7⤵
        
        PID:5320
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\data.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\data.exe" C:\Program Files (x86)\Windows Media Player\ja-JP\
        7⤵
        
        PID:5648
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:5020
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1740
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4524
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:4336
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:680
      - C:\Program Files (x86)\Internet Explorer\images\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\System Restore.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:1152
      - C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:4140
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1000
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:1160
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:4632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:2632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        
        PID:2708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        9⤵
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
        9⤵
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
        9⤵
        
        PID:3980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\
        10⤵
        
        PID:1104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\
        10⤵
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\
        9⤵
        
        PID:4440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\
        9⤵
        
        PID:1536
      - C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\
        6⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\
        7⤵
        
        PID:4536
        
        C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\edge_feedback\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\edge_feedback\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\edge_feedback\
        8⤵
        
        PID:380
        
        C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Extensions\
        8⤵
        
        PID:392
        
        C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\MEIPreload\
        8⤵
        
        PID:5300
        
        C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Trust Protection Lists\
        8⤵
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\Trust Protection Lists\Mu\
        9⤵
        
        PID:828
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\
        6⤵
        
        PID:1164
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\data.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\data.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\
        7⤵
        
        PID:3900
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:5484
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        
        PID:1516
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:5616
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:5452
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:5536
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:4632
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:5252
    - - C:\Program Files (x86)\Windows Defender\data.exe
        
        "C:\Program Files (x86)\Windows Defender\data.exe" C:\Program Files (x86)\Windows Defender\
        5⤵
        
        PID:5908
      - C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe" C:\Program Files (x86)\Windows Defender\fr-FR\
        6⤵
        
        PID:3324
      - C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe" C:\Program Files (x86)\Windows Defender\ja-JP\
        6⤵
        
        PID:3212
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        
        PID:1272
    - - C:\Program Files (x86)\Windows Multimedia Platform\backup.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\backup.exe" C:\Program Files (x86)\Windows Multimedia Platform\
        5⤵
        
        PID:5112
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:544
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3416
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        
        PID:2468
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4464
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1540
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:8
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:3428
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:2376
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:3540
      - C:\Users\Admin\Favorites\update.exe
        
        C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2340
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:3840
      - C:\Users\Admin\Music\update.exe
        
        C:\Users\Admin\Music\update.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1160
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:2652
      - C:\Users\Admin\Pictures\System Restore.exe
        
        "C:\Users\Admin\Pictures\System Restore.exe" C:\Users\Admin\Pictures\
        6⤵
        
        PID:1484
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:408
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:2236
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:3976
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:4100
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1484
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:3404
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2472
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:3876
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4116
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:4896
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2928
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        7⤵
        
        PID:5708
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        7⤵
        
        PID:2664
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        7⤵
        
        PID:6060
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:3884
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4524
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:4512
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:1968
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:3328
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:2012
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:1796
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:1640
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:3740
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        
        PID:640
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:3780
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:3404
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        Drops file in Program Files directory
        
        PID:640
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:4604
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:5072
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:3388
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:3056
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:3668
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:5024
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:5064
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:1612
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:2092
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:4712
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:3056
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\
        7⤵
        
        PID:4936
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        7⤵
        
        PID:1316
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:4524
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\
        7⤵
        
        PID:3448
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\
        8⤵
        
        PID:5372
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\
        7⤵
        
        PID:1768
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\
        8⤵
        
        PID:3612
      - C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\
        6⤵
        
        PID:5804
    - - C:\Windows\bcastdvr\System Restore.exe
        
        "C:\Windows\bcastdvr\System Restore.exe" C:\Windows\bcastdvr\
        5⤵
        
        PID:3100
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:4736
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        
        PID:4136
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:5248
    - - C:\Windows\GameBarPresenceWriter\backup.exe
        
        C:\Windows\GameBarPresenceWriter\backup.exe C:\Windows\GameBarPresenceWriter\
        5⤵
        
        PID:5960
- C:\Users\Admin\AppData\Local\Temp\593055085\backup.exe
  C:\Users\Admin\AppData\Local\Temp\593055085\backup.exe C:\Users\Admin\AppData\Local\Temp\593055085\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2064
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3288
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4932
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        5⤵
        
        PID:3380
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        6⤵
        
        PID:3628
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        6⤵
        
        PID:5124
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        6⤵
        
        PID:3736
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\CRX_INSTALL\
    3⤵
    PID:2980
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\backup.exe
      C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\
      4⤵
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\bg\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\bg\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\bg\
        5⤵
        
        PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ca\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ca\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ca\
        5⤵
        
        PID:3740
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\cs\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\cs\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\cs\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\da\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\da\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\da\
        5⤵
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\de\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\de\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\de\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\el\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\el\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\el\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4004
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\en\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\en\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\en\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\en_GB\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\en_GB\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\en_GB\
        5⤵
        
        PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\es\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\es\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\es\
        5⤵
        
        PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\es_419\System Restore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\es_419\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\es_419\
        5⤵
        
        PID:3752
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\et\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\et\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\et\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fi\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fi\
        5⤵
        
        PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fil\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fil\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fil\
        5⤵
        
        PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\fr\
        5⤵
        
        PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hi\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hi\
        5⤵
        
        PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hr\
        5⤵
        
        PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hu\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\hu\
        5⤵
        
        PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\id\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\id\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\id\
        5⤵
        
        PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\it\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\it\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\it\
        5⤵
        
        PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ja\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ja\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ja\
        5⤵
        
        PID:728
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ko\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ko\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ko\
        5⤵
        
        PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\lt\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\lt\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\lt\
        5⤵
        
        PID:1732
      - C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        6⤵
        
        PID:2592
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        7⤵
        
        PID:2464
      - C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        6⤵
        
        PID:5112
      - C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        6⤵
        
        PID:5924
      - C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        6⤵
        
        PID:60
      - C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        6⤵
        
        PID:5852
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
        7⤵
        
        PID:4356
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
        8⤵
        
        PID:1132
      - C:\Program Files\Microsoft Office\root\Office16\FPA_f14\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\update.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        6⤵
        
        PID:4504
      - C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        6⤵
        
        PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\lv\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\lv\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\lv\
        5⤵
        
        PID:392
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\nb\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\nb\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\nb\
        5⤵
        
        PID:4176
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\nl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\nl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\nl\
        5⤵
        
        PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pl\
        5⤵
        
        PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pt_BR\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pt_BR\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pt_BR\
        5⤵
        
        PID:3860
      - C:\Windows\DiagTrack\Scenarios\backup.exe
        
        C:\Windows\DiagTrack\Scenarios\backup.exe C:\Windows\DiagTrack\Scenarios\
        6⤵
        
        PID:6108
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pt_PT\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pt_PT\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\pt_PT\
        5⤵
        
        PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ro\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ro\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ro\
        5⤵
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ru\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ru\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ru\
        5⤵
        
        PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sk\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sk\
        5⤵
        
        PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sl\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sl\
        5⤵
        
        PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sr\backup.exe
        
        C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\sr\
        5⤵
        
        PID:2312
      - C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        6⤵
        
        PID:3968
- - C:\Program Files\Windows Defender\es-ES\backup.exe
    "C:\Program Files\Windows Defender\es-ES\backup.exe" C:\Program Files\Windows Defender\es-ES\
    3⤵
    PID:5524
- - C:\Program Files\Windows Defender\fr-FR\backup.exe
    "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
    3⤵
    PID:4940
- - C:\Program Files\Windows Defender\it-IT\backup.exe
    "C:\Program Files\Windows Defender\it-IT\backup.exe" C:\Program Files\Windows Defender\it-IT\
    3⤵
    PID:5412
- - C:\Program Files\Windows Defender\ja-JP\backup.exe
    "C:\Program Files\Windows Defender\ja-JP\backup.exe" C:\Program Files\Windows Defender\ja-JP\
    3⤵
    PID:5176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3808

C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
1⤵
PID:2040

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
1⤵
PID:5048

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
1⤵
PID:3244

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
1⤵
PID:2060

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
1⤵
PID:3740
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
  2⤵
  PID:3548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
    3⤵
    PID:6076
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
      4⤵
      PID:5532
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
      4⤵
      PID:3900
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\
      4⤵
      PID:5432
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\
      4⤵
      PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
1⤵
PID:1856

C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
1⤵
PID:2064

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\82E8C137-863C-4609-9874-1F1419EBDDE7\root\vfs\Windows\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\82E8C137-863C-4609-9874-1F1419EBDDE7\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\82E8C137-863C-4609-9874-1F1419EBDDE7\root\vfs\Windows\
1⤵
PID:4260

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\update.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\
1⤵
PID:316

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
1⤵
PID:2980
- C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
  2⤵
  PID:3264

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\
1⤵
PID:2236

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
1⤵
PID:1684
- C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
  2⤵
  PID:5812

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
1⤵
PID:1868

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\System Restore.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
1⤵
PID:4544

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
1⤵
PID:6052

C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\identity_proxy\win10\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\identity_proxy\win10\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.76\identity_proxy\win10\
1⤵
PID:5056

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
1⤵
PID:5192

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
1⤵
PID:6048
- C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
  2⤵
  PID:6136

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
1⤵
PID:5204

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
1⤵
PID:5968

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\BHO\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\BHO\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\BHO\
1⤵
PID:5572

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\data.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\
1⤵
PID:5652

C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe
C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\
1⤵
PID:3892

C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe
"C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
1⤵
PID:5668
- C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
  2⤵
  PID:456
- C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
  "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
  2⤵
  PID:5652
- - C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
    "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
    3⤵
    PID:5416

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
1⤵
PID:5268
- C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
  "C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
  2⤵
  PID:5572

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\
1⤵
PID:1488

C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
1⤵
PID:5200

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\EBWebView\x64\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\EBWebView\x64\
1⤵
PID:2136

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\
1⤵
PID:5568

C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
1⤵
PID:2012
- C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
  2⤵
  PID:4680

C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
1⤵
PID:212

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\
1⤵
PID:5596
- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe
  C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\
  2⤵
  PID:2112
- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe
  C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\
  2⤵
  PID:5180
- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\data.exe
  C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\data.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\
  2⤵
  PID:2992

C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
1⤵
PID:5000

C:\Program Files\VideoLAN\VLC\lua\http\backup.exe
"C:\Program Files\VideoLAN\VLC\lua\http\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\
1⤵
PID:4916
- C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe
  "C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\
  2⤵
  PID:1148
- - C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe
    "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\
    3⤵
    PID:3144
  - - C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\data.exe
      "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\data.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\
      4⤵
      PID:668

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\EBWebView\x86\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\EBWebView\x86\
1⤵
PID:5392

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\update.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\update.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
1⤵
PID:6132
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
  2⤵
  PID:3780
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\
    3⤵
    PID:2404

C:\Program Files\VideoLAN\VLC\plugins\backup.exe
"C:\Program Files\VideoLAN\VLC\plugins\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\
1⤵
PID:2664
- C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe
  "C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access\
  2⤵
  PID:908
- C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe
  "C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access_output\
  2⤵
  PID:5528
- C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe
  "C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_output\
  2⤵
  PID:3816

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\edge_feedback\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\edge_feedback\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\edge_feedback\
1⤵
PID:5212

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\
1⤵
PID:960

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\Extensions\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\Extensions\
1⤵
PID:2376

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\update.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\update.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
1⤵
PID:5876

C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
1⤵
PID:1088

C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
1⤵
PID:2472
- C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
  2⤵
  PID:1688

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\
1⤵
PID:6040
- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\System Restore.exe
  "C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\
  2⤵
  PID:2832

C:\Windows\DigitalLocker\en-US\backup.exe
C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
1⤵
PID:2136

C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe
"C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\
1⤵
PID:4944

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\
1⤵
PID:3900

C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe
C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
1⤵
PID:2148

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\identity_proxy\backup.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.76\identity_proxy\
1⤵
PID:5764

C:\Program Files\VideoLAN\VLC\skins\backup.exe
"C:\Program Files\VideoLAN\VLC\skins\backup.exe" C:\Program Files\VideoLAN\VLC\skins\
1⤵
PID:2804
- C:\Program Files\VideoLAN\VLC\skins\fonts\backup.exe
  "C:\Program Files\VideoLAN\VLC\skins\fonts\backup.exe" C:\Program Files\VideoLAN\VLC\skins\fonts\
  2⤵
  PID:184

C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
1⤵
PID:5692

C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\
1⤵
PID:456

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
1⤵
PID:4828

C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe
"C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\
1⤵
PID:4880
- C:\Program Files\VideoLAN\VLC\lua\meta\reader\backup.exe
  "C:\Program Files\VideoLAN\VLC\lua\meta\reader\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\reader\
  2⤵
  PID:4484

C:\Windows\assembly\GAC_MSIL\cscompmgd\System Restore.exe
"C:\Windows\assembly\GAC_MSIL\cscompmgd\System Restore.exe" C:\Windows\assembly\GAC_MSIL\cscompmgd\
1⤵
PID:5352
- C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe
  C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\
  2⤵
  PID:5456

C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\backup.exe
C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\
1⤵
PID:796

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
1⤵
PID:5104

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\backup.exe
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\
1⤵
PID:5176

C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe
C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
40KB

MD5
38c36cf0680c36fe3b16caf5f4bcc973

SHA1
e66a73e1d26f9d156cb8cf9053c85f761f9fece4

SHA256
0ecbd7da97e6556757303f9ed97aea777b07919b01f00c4ed7e56ee47124c177

SHA512
a98c09af44ecc23d70cc7520bb49225583e17643dd0bfe5af46d4741bf1b364bed80b37aa7bf965ad7765b1ce80c77d4b581812ba41653cdfedfb131e602e94c

Download Submit
C:\PerfLogs\backup.exe

Filesize
40KB

MD5
38c36cf0680c36fe3b16caf5f4bcc973

SHA1
e66a73e1d26f9d156cb8cf9053c85f761f9fece4

SHA256
0ecbd7da97e6556757303f9ed97aea777b07919b01f00c4ed7e56ee47124c177

SHA512
a98c09af44ecc23d70cc7520bb49225583e17643dd0bfe5af46d4741bf1b364bed80b37aa7bf965ad7765b1ce80c77d4b581812ba41653cdfedfb131e602e94c

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
dc34dd8e70386b7c5d9f242909274bcb

SHA1
384b11b892cb28a8373d05f63978896b9e4dc873

SHA256
b0c46e8a3afcb79de160313b076be6f9192206c872bf050d1aa897d4580bad42

SHA512
9bdf78873a2c414e0f6703915d200b08b84800982fb9e75acec724dfd888d50099c6013a352b0140207f025356cf2f753a56ce2905633c5f3b5041fcdd94ad3d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
40KB

MD5
dc34dd8e70386b7c5d9f242909274bcb

SHA1
384b11b892cb28a8373d05f63978896b9e4dc873

SHA256
b0c46e8a3afcb79de160313b076be6f9192206c872bf050d1aa897d4580bad42

SHA512
9bdf78873a2c414e0f6703915d200b08b84800982fb9e75acec724dfd888d50099c6013a352b0140207f025356cf2f753a56ce2905633c5f3b5041fcdd94ad3d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
2200007f1f7a77a3784dfa968206d38a

SHA1
0552e83664a44a99d8422995a088d7457e380428

SHA256
6dba98bfb5b63a3d18411a2931f77d797974f3c7ac5bf6a881e761e54bb68825

SHA512
d1c270f2ff8b3abe4597dbf9b5b289e888a20c7d540a95f2a05d05720e928f275b8f45e306ef1bc7109c80c6bb466509cf77dc22a011c6a1e68bf5b17943d27f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
40KB

MD5
2200007f1f7a77a3784dfa968206d38a

SHA1
0552e83664a44a99d8422995a088d7457e380428

SHA256
6dba98bfb5b63a3d18411a2931f77d797974f3c7ac5bf6a881e761e54bb68825

SHA512
d1c270f2ff8b3abe4597dbf9b5b289e888a20c7d540a95f2a05d05720e928f275b8f45e306ef1bc7109c80c6bb466509cf77dc22a011c6a1e68bf5b17943d27f

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
40KB

MD5
d6f4b47187a108cdd192748077e6be87

SHA1
a751d37be754fd324da561c051109e4f68b78c3e

SHA256
8d0ee4d28d1dcdde1e4b92caf532e7c34c5950ceffdccff8bed9add67214f557

SHA512
63c04659d174cbcb651f04156d280fefac71e75926581d5e6b34ad15a19dea314547cf5903a92e04b0d8e934764b49f6248ecd047f7928a320d9f0edb12d013e

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
40KB

MD5
d6f4b47187a108cdd192748077e6be87

SHA1
a751d37be754fd324da561c051109e4f68b78c3e

SHA256
8d0ee4d28d1dcdde1e4b92caf532e7c34c5950ceffdccff8bed9add67214f557

SHA512
63c04659d174cbcb651f04156d280fefac71e75926581d5e6b34ad15a19dea314547cf5903a92e04b0d8e934764b49f6248ecd047f7928a320d9f0edb12d013e

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
40KB

MD5
b97e8190e17857caf029cd8a0fe11c8d

SHA1
79efc87aeee84b805613bb41ca4b4f8d85c00df8

SHA256
a7d341c74b5993f2ab9fd828012fb2edd912f9cb350968325600ed4f28fcb02a

SHA512
9a65daa366ffb16e7876dc16f5dbff4f2a52cb5717d5c7d0911d16b8379fe688692207a58d1abb821671d056ce8be4dbc7559d5d48a1f371bb5852397f064471

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
40KB

MD5
b97e8190e17857caf029cd8a0fe11c8d

SHA1
79efc87aeee84b805613bb41ca4b4f8d85c00df8

SHA256
a7d341c74b5993f2ab9fd828012fb2edd912f9cb350968325600ed4f28fcb02a

SHA512
9a65daa366ffb16e7876dc16f5dbff4f2a52cb5717d5c7d0911d16b8379fe688692207a58d1abb821671d056ce8be4dbc7559d5d48a1f371bb5852397f064471

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
40KB

MD5
acef1a0e2ecc27b98d8dd6ca7686f2f6

SHA1
ea82005df211b6de92e3348ffda0d6836d29af14

SHA256
e21ec0a0c038890d2565ad1ce013bb38909ba57f1b066c84a154d6171545201d

SHA512
1756316027c0471c85f309e025bd5c33278270d036370814e0b6760a4de47ada38aabaf208a90b7077be1312e252ea5f0ecf686913897c86e7b8489765cf7d40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
40KB

MD5
acef1a0e2ecc27b98d8dd6ca7686f2f6

SHA1
ea82005df211b6de92e3348ffda0d6836d29af14

SHA256
e21ec0a0c038890d2565ad1ce013bb38909ba57f1b066c84a154d6171545201d

SHA512
1756316027c0471c85f309e025bd5c33278270d036370814e0b6760a4de47ada38aabaf208a90b7077be1312e252ea5f0ecf686913897c86e7b8489765cf7d40

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
40KB

MD5
d6f4b47187a108cdd192748077e6be87

SHA1
a751d37be754fd324da561c051109e4f68b78c3e

SHA256
8d0ee4d28d1dcdde1e4b92caf532e7c34c5950ceffdccff8bed9add67214f557

SHA512
63c04659d174cbcb651f04156d280fefac71e75926581d5e6b34ad15a19dea314547cf5903a92e04b0d8e934764b49f6248ecd047f7928a320d9f0edb12d013e

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
40KB

MD5
d6f4b47187a108cdd192748077e6be87

SHA1
a751d37be754fd324da561c051109e4f68b78c3e

SHA256
8d0ee4d28d1dcdde1e4b92caf532e7c34c5950ceffdccff8bed9add67214f557

SHA512
63c04659d174cbcb651f04156d280fefac71e75926581d5e6b34ad15a19dea314547cf5903a92e04b0d8e934764b49f6248ecd047f7928a320d9f0edb12d013e

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
40KB

MD5
fb132c22542d613350df0308e0bb6087

SHA1
6908e3bcb03460bbaeee753f97722e0641bb8a95

SHA256
7a5c9e62e4b14c420c9fb1a9ab76ee4e270167a535524429f7da351445686c12

SHA512
61893699758c47cfc4a8e5042c9b976cf1ff0ed1189c76e686fa21245fac8f6780bf924a4b928a50c0b7cb7fa8be56dac0f22a3828a2c6febdde4b3dd0ef7b4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
40KB

MD5
fb132c22542d613350df0308e0bb6087

SHA1
6908e3bcb03460bbaeee753f97722e0641bb8a95

SHA256
7a5c9e62e4b14c420c9fb1a9ab76ee4e270167a535524429f7da351445686c12

SHA512
61893699758c47cfc4a8e5042c9b976cf1ff0ed1189c76e686fa21245fac8f6780bf924a4b928a50c0b7cb7fa8be56dac0f22a3828a2c6febdde4b3dd0ef7b4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
40KB

MD5
acef1a0e2ecc27b98d8dd6ca7686f2f6

SHA1
ea82005df211b6de92e3348ffda0d6836d29af14

SHA256
e21ec0a0c038890d2565ad1ce013bb38909ba57f1b066c84a154d6171545201d

SHA512
1756316027c0471c85f309e025bd5c33278270d036370814e0b6760a4de47ada38aabaf208a90b7077be1312e252ea5f0ecf686913897c86e7b8489765cf7d40

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
40KB

MD5
acef1a0e2ecc27b98d8dd6ca7686f2f6

SHA1
ea82005df211b6de92e3348ffda0d6836d29af14

SHA256
e21ec0a0c038890d2565ad1ce013bb38909ba57f1b066c84a154d6171545201d

SHA512
1756316027c0471c85f309e025bd5c33278270d036370814e0b6760a4de47ada38aabaf208a90b7077be1312e252ea5f0ecf686913897c86e7b8489765cf7d40

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
40KB

MD5
fb132c22542d613350df0308e0bb6087

SHA1
6908e3bcb03460bbaeee753f97722e0641bb8a95

SHA256
7a5c9e62e4b14c420c9fb1a9ab76ee4e270167a535524429f7da351445686c12

SHA512
61893699758c47cfc4a8e5042c9b976cf1ff0ed1189c76e686fa21245fac8f6780bf924a4b928a50c0b7cb7fa8be56dac0f22a3828a2c6febdde4b3dd0ef7b4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
40KB

MD5
fb132c22542d613350df0308e0bb6087

SHA1
6908e3bcb03460bbaeee753f97722e0641bb8a95

SHA256
7a5c9e62e4b14c420c9fb1a9ab76ee4e270167a535524429f7da351445686c12

SHA512
61893699758c47cfc4a8e5042c9b976cf1ff0ed1189c76e686fa21245fac8f6780bf924a4b928a50c0b7cb7fa8be56dac0f22a3828a2c6febdde4b3dd0ef7b4d

Download Submit
C:\Program Files\backup.exe

Filesize
40KB

MD5
a2f8bbd3c1b568e2c5a168b6e3bb2c7b

SHA1
0d46029d048436b2d937955ef6782f26cab2ef3b

SHA256
91eccf8dccb741d3dc359aafa7f563fcfd8867d4d603a4af5c5c6a13cbb73508

SHA512
6ef2999f71c74036bcf36b769af6d280cdd92975b12c22be61be22b59d68d4324d67443104b13939b074ccb92e113023247c1adce43a59f8ac90ef2a0a75f45d

Download Submit
C:\Program Files\backup.exe

Filesize
40KB

MD5
a2f8bbd3c1b568e2c5a168b6e3bb2c7b

SHA1
0d46029d048436b2d937955ef6782f26cab2ef3b

SHA256
91eccf8dccb741d3dc359aafa7f563fcfd8867d4d603a4af5c5c6a13cbb73508

SHA512
6ef2999f71c74036bcf36b769af6d280cdd92975b12c22be61be22b59d68d4324d67443104b13939b074ccb92e113023247c1adce43a59f8ac90ef2a0a75f45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\593055085\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\593055085\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\593055085\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe

Filesize
40KB

MD5
919703bbe338b51e62a43e7e0c6efa4b

SHA1
0d37f097e58a79002d6b519acfd88b6858ed4d8a

SHA256
665d4bdf7b4e53311052be1c61bf3b4d9fe2fb14c2971cd3be33672fc5de647a

SHA512
11bcd953f000aeac3810974ae409411538c80f4363dc6f3d50c594f8d15820dcbab194721c8f750040cbeba2038f7c643bbfff073430c515300bae56512c32f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\System Restore.exe

Filesize
40KB

MD5
919703bbe338b51e62a43e7e0c6efa4b

SHA1
0d37f097e58a79002d6b519acfd88b6858ed4d8a

SHA256
665d4bdf7b4e53311052be1c61bf3b4d9fe2fb14c2971cd3be33672fc5de647a

SHA512
11bcd953f000aeac3810974ae409411538c80f4363dc6f3d50c594f8d15820dcbab194721c8f750040cbeba2038f7c643bbfff073430c515300bae56512c32f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
40KB

MD5
1c57d035d13523b3f00a93a7655921cb

SHA1
d40dc0c4f8fd316c4a35588ec9c88d8c282a661c

SHA256
74aa9da8c6a57515dd5b4cbd2dd03a05b905c68c30a8c6d20b2e05b36769ddc8

SHA512
6920a0e165bb10b9f2025502733724d23663ce043be3447fb000f295f0d696df431fbb1cb269d2e7cde4369481a0e8a32b0244595e38e7f3305f7875053391b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
40KB

MD5
1c57d035d13523b3f00a93a7655921cb

SHA1
d40dc0c4f8fd316c4a35588ec9c88d8c282a661c

SHA256
74aa9da8c6a57515dd5b4cbd2dd03a05b905c68c30a8c6d20b2e05b36769ddc8

SHA512
6920a0e165bb10b9f2025502733724d23663ce043be3447fb000f295f0d696df431fbb1cb269d2e7cde4369481a0e8a32b0244595e38e7f3305f7875053391b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
40KB

MD5
a35408ba9dcc5b0e4e6ec5e90931cd5c

SHA1
d8a4543cfab148c8e3a85523b179f6be6c422c83

SHA256
d2bd8965849b48b72f5762bfdff30d0c7ce02702fc568cb287790e1f8d4b1eeb

SHA512
5a23ad0cc8bcbc96c7d7b0369371813e4e7b7f851908267f9dc543d5b94f3a9b164bfe904479fbeffe9281c048032dc9e1f34e24d88fa3ea5f7935f0cf054bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
40KB

MD5
a35408ba9dcc5b0e4e6ec5e90931cd5c

SHA1
d8a4543cfab148c8e3a85523b179f6be6c422c83

SHA256
d2bd8965849b48b72f5762bfdff30d0c7ce02702fc568cb287790e1f8d4b1eeb

SHA512
5a23ad0cc8bcbc96c7d7b0369371813e4e7b7f851908267f9dc543d5b94f3a9b164bfe904479fbeffe9281c048032dc9e1f34e24d88fa3ea5f7935f0cf054bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
40KB

MD5
6aeec2c9f844c7e338807a5d19c3dc77

SHA1
9a1b383724b0f119b8e5a253ebad416b38c5ca47

SHA256
5a2076f0f80c0339521190a4e5c5a34d1c063b6e1bc4737b538e030144f236fe

SHA512
2568b9a19130082a80b0df9e77a7ebec3b446f1e7f7aa8f2e61bf09d450c3871ddfe553be92dd95512deb4c2b6b73415c029dd656c3be8fd11608b2b4546325e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\CRX_INSTALL\backup.exe

Filesize
40KB

MD5
8f3d73cf9ec4f3d10dc7d437fd54047e

SHA1
3bfff42549627b41575926e9638f3945dd80633d

SHA256
576e18886e0b5024a1c30eac05a47d6648dedc69111c965f45012276db0a3768

SHA512
279a4d17ead48368682e12b2f451f522eba4eb5f107ba6e7d7f2438b44352f3de4541ee46bc0239fa85476b3333a392117e8b04a91128089e8904319967ca941

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\CRX_INSTALL\backup.exe

Filesize
40KB

MD5
8f3d73cf9ec4f3d10dc7d437fd54047e

SHA1
3bfff42549627b41575926e9638f3945dd80633d

SHA256
576e18886e0b5024a1c30eac05a47d6648dedc69111c965f45012276db0a3768

SHA512
279a4d17ead48368682e12b2f451f522eba4eb5f107ba6e7d7f2438b44352f3de4541ee46bc0239fa85476b3333a392117e8b04a91128089e8904319967ca941

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\backup.exe

Filesize
40KB

MD5
d24c1f96a127087916a765ad1c40284e

SHA1
baf015c9b5b90275a684fd6facc00b10f01e9f27

SHA256
2420e2b476f713e3015a1d452e7d596238cf6bb2336ea6b43f316334b467a523

SHA512
e9f1683c508ab8ea9e8979cfb5410e288d661fa8f227e8df860eb6d946ff4a34e59da917d484030fbdb7eb6d01462f7bd73c2971f413a1f71e8385ad5f758173

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_601684106\backup.exe

Filesize
40KB

MD5
d24c1f96a127087916a765ad1c40284e

SHA1
baf015c9b5b90275a684fd6facc00b10f01e9f27

SHA256
2420e2b476f713e3015a1d452e7d596238cf6bb2336ea6b43f316334b467a523

SHA512
e9f1683c508ab8ea9e8979cfb5410e288d661fa8f227e8df860eb6d946ff4a34e59da917d484030fbdb7eb6d01462f7bd73c2971f413a1f71e8385ad5f758173

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\backup.exe

Filesize
40KB

MD5
ae627c628fed86708aa634512f0e1239

SHA1
6c07c5234a36a189d70bf96f2bed5ff838c99494

SHA256
2b0fd05f1eff4dee73a07feb25fa8d3a9b86f5c3c8f125e5bcbd7227ec85f52e

SHA512
311ffa359727917ca042d64130ec2547470cc423944595558cbc3c64af271e7c1c6ded46613d4efe600e6f708d9e61a5ac6a583b174af659d5dba43b333561f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\backup.exe

Filesize
40KB

MD5
ae627c628fed86708aa634512f0e1239

SHA1
6c07c5234a36a189d70bf96f2bed5ff838c99494

SHA256
2b0fd05f1eff4dee73a07feb25fa8d3a9b86f5c3c8f125e5bcbd7227ec85f52e

SHA512
311ffa359727917ca042d64130ec2547470cc423944595558cbc3c64af271e7c1c6ded46613d4efe600e6f708d9e61a5ac6a583b174af659d5dba43b333561f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\bg\backup.exe

Filesize
40KB

MD5
b96f24e571a4c361a0a89c7dac0e7164

SHA1
825325cbf012159477b63d4c88f98eb63ec99409

SHA256
9d45e437dd6709b024d56411564a8c87972101ede790dbdc1eb094b8a017f88c

SHA512
4079b853314fc9161bd8ef3741f75c5bd8f09813c12e3be7b1a0b2c58a02a4ce126fd023efea68f6edaae28af0e4be1b82c9fbeac235ec0b792ff82998a31697

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\bg\backup.exe

Filesize
40KB

MD5
b96f24e571a4c361a0a89c7dac0e7164

SHA1
825325cbf012159477b63d4c88f98eb63ec99409

SHA256
9d45e437dd6709b024d56411564a8c87972101ede790dbdc1eb094b8a017f88c

SHA512
4079b853314fc9161bd8ef3741f75c5bd8f09813c12e3be7b1a0b2c58a02a4ce126fd023efea68f6edaae28af0e4be1b82c9fbeac235ec0b792ff82998a31697

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ca\backup.exe

Filesize
40KB

MD5
b96f24e571a4c361a0a89c7dac0e7164

SHA1
825325cbf012159477b63d4c88f98eb63ec99409

SHA256
9d45e437dd6709b024d56411564a8c87972101ede790dbdc1eb094b8a017f88c

SHA512
4079b853314fc9161bd8ef3741f75c5bd8f09813c12e3be7b1a0b2c58a02a4ce126fd023efea68f6edaae28af0e4be1b82c9fbeac235ec0b792ff82998a31697

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\ca\backup.exe

Filesize
40KB

MD5
b96f24e571a4c361a0a89c7dac0e7164

SHA1
825325cbf012159477b63d4c88f98eb63ec99409

SHA256
9d45e437dd6709b024d56411564a8c87972101ede790dbdc1eb094b8a017f88c

SHA512
4079b853314fc9161bd8ef3741f75c5bd8f09813c12e3be7b1a0b2c58a02a4ce126fd023efea68f6edaae28af0e4be1b82c9fbeac235ec0b792ff82998a31697

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\cs\backup.exe

Filesize
40KB

MD5
3506b0dfc6503fb1f93ad128b37d0d8f

SHA1
da808ab1da7397106203d538a292de55d7527bfd

SHA256
4bc6adf0afed701d1c68efcb2f145e9e0c21d9da3a0277a1a6ce7d415e76c77c

SHA512
9a2d7f3fcef98d593b666a5447f8ef20aae01f588b7c81682a63bcd1f9b19ae49a41a86e2457b1daff34a07df4bae8aef2da132dffbe9daf76fa50bc950e739e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\_locales\cs\backup.exe

Filesize
40KB

MD5
3506b0dfc6503fb1f93ad128b37d0d8f

SHA1
da808ab1da7397106203d538a292de55d7527bfd

SHA256
4bc6adf0afed701d1c68efcb2f145e9e0c21d9da3a0277a1a6ce7d415e76c77c

SHA512
9a2d7f3fcef98d593b666a5447f8ef20aae01f588b7c81682a63bcd1f9b19ae49a41a86e2457b1daff34a07df4bae8aef2da132dffbe9daf76fa50bc950e739e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\backup.exe

Filesize
40KB

MD5
7e5d8b835a330a2954c21943483769de

SHA1
d2c1303660e9b56e55aa4daf583ebd3b0aa1b8c4

SHA256
e4b5d295210ae19b4c09c9f430ca6e5a3b2238c5af1ed694e71a1a7b5946e974

SHA512
4a4c7103b917890ca5610bcc1e872e19b0472b14fb04c86c6727c3967df8505115dc916e396afc21eba92902b27f632c1a47dae01eeef44604ef84178cbeb970

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\CRX_INSTALL\backup.exe

Filesize
40KB

MD5
7e5d8b835a330a2954c21943483769de

SHA1
d2c1303660e9b56e55aa4daf583ebd3b0aa1b8c4

SHA256
e4b5d295210ae19b4c09c9f430ca6e5a3b2238c5af1ed694e71a1a7b5946e974

SHA512
4a4c7103b917890ca5610bcc1e872e19b0472b14fb04c86c6727c3967df8505115dc916e396afc21eba92902b27f632c1a47dae01eeef44604ef84178cbeb970

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\backup.exe

Filesize
40KB

MD5
d24c1f96a127087916a765ad1c40284e

SHA1
baf015c9b5b90275a684fd6facc00b10f01e9f27

SHA256
2420e2b476f713e3015a1d452e7d596238cf6bb2336ea6b43f316334b467a523

SHA512
e9f1683c508ab8ea9e8979cfb5410e288d661fa8f227e8df860eb6d946ff4a34e59da917d484030fbdb7eb6d01462f7bd73c2971f413a1f71e8385ad5f758173

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4736_689067531\backup.exe

Filesize
40KB

MD5
d24c1f96a127087916a765ad1c40284e

SHA1
baf015c9b5b90275a684fd6facc00b10f01e9f27

SHA256
2420e2b476f713e3015a1d452e7d596238cf6bb2336ea6b43f316334b467a523

SHA512
e9f1683c508ab8ea9e8979cfb5410e288d661fa8f227e8df860eb6d946ff4a34e59da917d484030fbdb7eb6d01462f7bd73c2971f413a1f71e8385ad5f758173

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22KB

MD5
ec31a5905a80d900c67e8d173130f9be

SHA1
8013f58979272035e811a27a4f80cec7c052158d

SHA256
4bbeb199ec3f4584bb3fc89fa4055c60763cff704e4f840228a16735d04a9b4a

SHA512
3b6f62e5e686ed995b7ed38c7627b734ca380aaa9ffeadde18de7c8c4063991a7f778ddca04faccfa0bc91109038e67865a3df37930543ba40b0f50c7e703c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BE42800B-C9A4-4E6E-B69C-BFA047D5726A}\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BE42800B-C9A4-4E6E-B69C-BFA047D5726A}\backup.exe

Filesize
40KB

MD5
04d302c15ada4de24bc5e8ca220f6b11

SHA1
78514396fe5d63eec823e7650c007a296177e8ed

SHA256
3259f4f1ceaffe7c57a99cbf192e2eca86f34173563a23a23df22eeebe680194

SHA512
a24d590a0a1069956930168d84149852a1f6a4af45b1999cba21a8f94c515a172ee4e53c518de528f9627a5b1bf33c5a83784962b269a2e98b450eb5f58919ee

Download Submit
C:\backup.exe

Filesize
40KB

MD5
d2e1ab12105ad54347dd03f5a6e83a5e

SHA1
5668baae9696ed411d83114d39dc6372f9ca94bc

SHA256
af15bc90d6abf63fcdb180f29ede3cb8bfce315a36281501e36684b37e732c85

SHA512
bd9df6242e089e77c14f0c24f2478be2ffd8e5f2de1d7c6574ff6c4d2137c2d7407323bb01629fc6ac467886431f674a841e847050f182fc8dfab1b9b4a189d5

Download Submit
C:\backup.exe

Filesize
40KB

MD5
d2e1ab12105ad54347dd03f5a6e83a5e

SHA1
5668baae9696ed411d83114d39dc6372f9ca94bc

SHA256
af15bc90d6abf63fcdb180f29ede3cb8bfce315a36281501e36684b37e732c85

SHA512
bd9df6242e089e77c14f0c24f2478be2ffd8e5f2de1d7c6574ff6c4d2137c2d7407323bb01629fc6ac467886431f674a841e847050f182fc8dfab1b9b4a189d5

Download Submit
C:\odt\backup.exe

Filesize
40KB

MD5
38c36cf0680c36fe3b16caf5f4bcc973

SHA1
e66a73e1d26f9d156cb8cf9053c85f761f9fece4

SHA256
0ecbd7da97e6556757303f9ed97aea777b07919b01f00c4ed7e56ee47124c177

SHA512
a98c09af44ecc23d70cc7520bb49225583e17643dd0bfe5af46d4741bf1b364bed80b37aa7bf965ad7765b1ce80c77d4b581812ba41653cdfedfb131e602e94c

Download Submit
C:\odt\backup.exe

Filesize
40KB

MD5
38c36cf0680c36fe3b16caf5f4bcc973

SHA1
e66a73e1d26f9d156cb8cf9053c85f761f9fece4

SHA256
0ecbd7da97e6556757303f9ed97aea777b07919b01f00c4ed7e56ee47124c177

SHA512
a98c09af44ecc23d70cc7520bb49225583e17643dd0bfe5af46d4741bf1b364bed80b37aa7bf965ad7765b1ce80c77d4b581812ba41653cdfedfb131e602e94c

Download Submit
memory/232-725-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/236-701-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/392-441-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/404-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/456-613-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-454-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/640-251-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/728-637-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/728-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1000-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1016-495-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1088-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1148-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1316-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1456-533-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-410-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1504-279-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1608-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-617-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1628-547-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1688-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-259-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-430-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1764-568-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1764-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1796-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1820-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-671-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1976-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-687-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2064-437-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2136-708-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2312-615-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-718-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-465-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2472-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-609-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-672-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-336-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-182-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-471-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3048-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3188-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3196-159-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3228-520-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3232-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3288-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3288-707-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3312-714-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3324-685-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3328-422-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3352-722-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3352-481-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3380-644-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3380-585-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3384-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3392-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3396-504-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3540-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3660-712-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3672-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3684-658-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3684-589-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3740-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3752-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3808-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3808-686-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3808-268-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3844-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3856-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3860-494-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3884-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3892-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3952-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4108-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4112-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4112-245-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4120-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4120-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4176-455-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4184-636-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4184-567-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4248-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4248-573-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4452-632-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4464-428-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4468-531-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4504-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4520-616-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4520-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4528-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4632-234-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4648-444-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4672-546-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4704-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4728-236-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4784-678-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4880-517-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4920-208-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4924-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4940-156-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-306-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-71-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5008-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5020-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5020-618-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5048-508-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5048-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5052-470-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5072-482-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads