23cdd43ef9422adc86abd58e4e7eaa6c0c901086ae5972cd8d5615b34aa1c35e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe
Size

79KB
MD5

da8eaf7bb8c6153358a7a7aa0dad2e90
SHA1

bbb2b93aab792b5e8a36ae3571c4b2f154413fa9
SHA256

23cdd43ef9422adc86abd58e4e7eaa6c0c901086ae5972cd8d5615b34aa1c35e
SHA512

2423ff91b8ce6951e26c5ffc7247d21ae035f941be895067b98a3815ca3c5514daf27e74f4ad1565f1fbf67d930942e01f504aaa43119df2a2eed9da9882f027
SSDEEP

768:FMpQNwC3BEddsEqOt/hyJuQNwC3BEp+2mDblVAQ4ogDjdO:qeTce/U/hjeTqsDblVKnO

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2004	backup.exe
4516	backup.exe
3628	backup.exe
4828	backup.exe
5100	backup.exe
1912	backup.exe
2800	backup.exe
1768	update.exe
1568	backup.exe
884	backup.exe
968	backup.exe
2612	backup.exe
688	backup.exe
2340	backup.exe
2112	backup.exe
1784	backup.exe
5116	backup.exe
4732	backup.exe
2016	backup.exe
1172	backup.exe
1712	backup.exe
4872	backup.exe
1516	backup.exe
4840	backup.exe
4944	backup.exe
1056	data.exe
5016	backup.exe
4760	backup.exe
5072	backup.exe
4756	backup.exe
768	backup.exe
4088	backup.exe
4124	update.exe
4704	backup.exe
1708	backup.exe
5004	backup.exe
2032	System Restore.exe
4908	System Restore.exe
1924	backup.exe
2084	backup.exe
3804	backup.exe
748	backup.exe
1020	backup.exe
1228	backup.exe
2396	backup.exe
3588	backup.exe
3980	backup.exe
2132	System Restore.exe
3616	backup.exe
5088	backup.exe
1256	backup.exe
2936	backup.exe
3400	backup.exe
4356	backup.exe
2476	backup.exe
1168	data.exe
1108	backup.exe
3220	backup.exe
1384	backup.exe
3104	backup.exe
4628	backup.exe
3540	backup.exe
4756	backup.exe
4400	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\vfs\Windows\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF5576B0-6EBE-4693-8424-0687B10D8290\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\System Restore.exe	backup.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\it-IT\data.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	System Restore.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe	update.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\data.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\System Restore.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\update.exe	data.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\System Restore.exe	data.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe
2004	backup.exe
4516	backup.exe
3628	backup.exe
4828	backup.exe
5100	backup.exe
1912	backup.exe
2800	backup.exe
1768	update.exe
1568	backup.exe
884	backup.exe
968	backup.exe
2612	backup.exe
688	backup.exe
2340	backup.exe
2112	backup.exe
1784	backup.exe
5116	backup.exe
4732	backup.exe
2016	backup.exe
1172	backup.exe
1712	backup.exe
4872	backup.exe
1516	backup.exe
4840	backup.exe
4944	backup.exe
1056	data.exe
5016	backup.exe
4760	backup.exe
5072	backup.exe
4756	backup.exe
768	backup.exe
4088	backup.exe
4124	update.exe
4704	backup.exe
1708	backup.exe
5004	backup.exe
2032	System Restore.exe
4908	System Restore.exe
1924	backup.exe
2084	backup.exe
3804	backup.exe
748	backup.exe
1228	backup.exe
1020	backup.exe
3980	backup.exe
2396	backup.exe
5088	backup.exe
2132	System Restore.exe
3616	backup.exe
3588	backup.exe
1256	backup.exe
2936	backup.exe
2476	backup.exe
3400	backup.exe
1168	data.exe
4356	backup.exe
3540	backup.exe
1384	backup.exe
1108	backup.exe
3104	backup.exe
3220	backup.exe
4628	backup.exe
2868	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 2004	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	88
PID 3328 wrote to memory of 2004	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	88
PID 3328 wrote to memory of 2004	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	88
PID 3328 wrote to memory of 4516	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	89
PID 3328 wrote to memory of 4516	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	89
PID 3328 wrote to memory of 4516	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	89
PID 3328 wrote to memory of 3628	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	91
PID 3328 wrote to memory of 3628	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	91
PID 3328 wrote to memory of 3628	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	91
PID 3328 wrote to memory of 4828	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	90
PID 3328 wrote to memory of 4828	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	90
PID 3328 wrote to memory of 4828	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	90
PID 3328 wrote to memory of 5100	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	92
PID 3328 wrote to memory of 5100	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	92
PID 3328 wrote to memory of 5100	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	92
PID 3328 wrote to memory of 1912	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	93
PID 3328 wrote to memory of 1912	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	93
PID 3328 wrote to memory of 1912	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	93
PID 3328 wrote to memory of 2800	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	94
PID 3328 wrote to memory of 2800	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	94
PID 3328 wrote to memory of 2800	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	94
PID 3328 wrote to memory of 1768	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	95
PID 3328 wrote to memory of 1768	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	95
PID 3328 wrote to memory of 1768	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	95
PID 3328 wrote to memory of 1568	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	125
PID 3328 wrote to memory of 1568	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	125
PID 3328 wrote to memory of 1568	3328	NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe	125
PID 1568 wrote to memory of 884	1568	backup.exe	124
PID 1568 wrote to memory of 884	1568	backup.exe	124
PID 1568 wrote to memory of 884	1568	backup.exe	124
PID 884 wrote to memory of 968	884	backup.exe	123
PID 884 wrote to memory of 968	884	backup.exe	123
PID 884 wrote to memory of 968	884	backup.exe	123
PID 2004 wrote to memory of 2612	2004	backup.exe	122
PID 2004 wrote to memory of 2612	2004	backup.exe	122
PID 2004 wrote to memory of 2612	2004	backup.exe	122
PID 2612 wrote to memory of 688	2612	backup.exe	96
PID 2612 wrote to memory of 688	2612	backup.exe	96
PID 2612 wrote to memory of 688	2612	backup.exe	96
PID 2612 wrote to memory of 2340	2612	backup.exe	97
PID 2612 wrote to memory of 2340	2612	backup.exe	97
PID 2612 wrote to memory of 2340	2612	backup.exe	97
PID 2612 wrote to memory of 2112	2612	backup.exe	98
PID 2612 wrote to memory of 2112	2612	backup.exe	98
PID 2612 wrote to memory of 2112	2612	backup.exe	98
PID 2112 wrote to memory of 1784	2112	backup.exe	99
PID 2112 wrote to memory of 1784	2112	backup.exe	99
PID 2112 wrote to memory of 1784	2112	backup.exe	99
PID 1784 wrote to memory of 5116	1784	backup.exe	121
PID 1784 wrote to memory of 5116	1784	backup.exe	121
PID 1784 wrote to memory of 5116	1784	backup.exe	121
PID 2112 wrote to memory of 4732	2112	backup.exe	100
PID 2112 wrote to memory of 4732	2112	backup.exe	100
PID 2112 wrote to memory of 4732	2112	backup.exe	100
PID 4732 wrote to memory of 2016	4732	backup.exe	101
PID 4732 wrote to memory of 2016	4732	backup.exe	101
PID 4732 wrote to memory of 2016	4732	backup.exe	101
PID 4732 wrote to memory of 1172	4732	backup.exe	120
PID 4732 wrote to memory of 1172	4732	backup.exe	120
PID 4732 wrote to memory of 1172	4732	backup.exe	120
PID 1172 wrote to memory of 1712	1172	backup.exe	102
PID 1172 wrote to memory of 1712	1172	backup.exe	102
PID 1172 wrote to memory of 1712	1172	backup.exe	102
PID 1172 wrote to memory of 4872	1172	backup.exe	119

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.da8eaf7bb8c6153358a7a7aa0dad2e90.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\{32A85F0C-CD71-4CC9-9055-2F9A813F8334}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{32A85F0C-CD71-4CC9-9055-2F9A813F8334}\backup.exe C:\Users\Admin\AppData\Local\Temp\{32A85F0C-CD71-4CC9-9055-2F9A813F8334}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:748
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3588
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:2412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:2712
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1676
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:4600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:3604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:224
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4884
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:4828
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:4184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:3664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:4624
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:744
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:3844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:3896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:1380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:4476
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:3536
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        System policy modification
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:2128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        12⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2320
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        13⤵
        
        PID:1028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        13⤵
        
        PID:4024
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:4748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:3664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        Disables RegEdit via registry modification
        
        PID:5092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:4996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        System policy modification
        
        PID:3664
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:4756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:2152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        Disables RegEdit via registry modification
        
        PID:1128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:2628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:2452
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3868
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2500
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:4056
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1176
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:2712
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2504
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:4512
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Drops file in Program Files directory
        
        PID:4100
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:3356
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:3552
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:3348
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:4164
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        Drops file in Program Files directory
        
        PID:4756
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4448
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:1796
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        
        PID:368
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1056
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1016
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:2516
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:1228
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:840
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:3160
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4272
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        Disables RegEdit via registry modification
        
        PID:3636
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:2940
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:3848
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:3864
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:4652
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:2568
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:2932
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2500
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:4184
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        System policy modification
        
        PID:3016
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3648
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:3580
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2000
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:4604
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3580
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2268
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:4648
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:3956
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2560
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1180
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:3984
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:3664
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:4704
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:2512
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        Drops file in Program Files directory
        
        PID:4204
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:5000
      - C:\Program Files (x86)\Common Files\Services\update.exe
        
        "C:\Program Files (x86)\Common Files\Services\update.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:3576
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4288
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:3436
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:1184
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\data.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\data.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4184
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1308
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:812
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:4400
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:4596
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1112
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:4628
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:4676
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:3416
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:4268
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:5020
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:4392
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Drops file in Program Files directory
        
        PID:3308
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:3400
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2280
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:2692
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:3216
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:3552
        
        C:\Program Files (x86)\Google\Update\Install\{6D1E095F-36F5-41C3-AA9F-CDD3FD51BCD2}\update.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{6D1E095F-36F5-41C3-AA9F-CDD3FD51BCD2}\update.exe" C:\Program Files (x86)\Google\Update\Install\{6D1E095F-36F5-41C3-AA9F-CDD3FD51BCD2}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2936
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:644
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1868
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1228
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2536
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3588
      - C:\Program Files (x86)\Internet Explorer\images\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\update.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:4424
      - C:\Program Files (x86)\Internet Explorer\it-IT\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\data.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2724
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:4184
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:3396
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Disables RegEdit via registry modification
        
        PID:4100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:2568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:3308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        Disables RegEdit via registry modification
        
        PID:836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:1404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        9⤵
        
        PID:4740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        9⤵
        
        PID:4932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        9⤵
        
        PID:684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\data.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        9⤵
        
        PID:1516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:1516
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        Drops file in Program Files directory
        
        PID:3940
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\
        7⤵
        
        PID:752
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:1976
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:816
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:3564
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:2120
    - - C:\Program Files (x86)\Mozilla Maintenance Service\System Restore.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\System Restore.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:4516
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:3624
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:1408
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        
        PID:4252
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:3980
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2000
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        System policy modification
        
        PID:2128
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:4268
      - C:\Users\Admin\Desktop\System Restore.exe
        
        "C:\Users\Admin\Desktop\System Restore.exe" C:\Users\Admin\Desktop\
        6⤵
        
        PID:4288
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1736
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        
        PID:4448
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:4040
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1384
      - C:\Users\Admin\Links\data.exe
        
        C:\Users\Admin\Links\data.exe C:\Users\Admin\Links\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
      - C:\Users\Admin\Music\update.exe
        
        C:\Users\Admin\Music\update.exe C:\Users\Admin\Music\
        6⤵
        
        PID:5048
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:1352
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2968
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4100
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4772
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1632
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:3380
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1284
      - C:\Users\Public\Documents\System Restore.exe
        
        "C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\
        6⤵
        Disables RegEdit via registry modification
        
        PID:5000
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3920
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:3804
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1380
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:3600
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Windows directory
      PID:400
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2628
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:4412
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4376
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4700
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:3112
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        System policy modification
        
        PID:2104
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4804
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Disables RegEdit via registry modification
        
        PID:844
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:4648
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        System policy modification
        
        PID:5100
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:4040
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:1488
      - C:\Windows\apppatch\fr-FR\update.exe
        
        C:\Windows\apppatch\fr-FR\update.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:4796
      - C:\Windows\apppatch\it-IT\data.exe
        
        C:\Windows\apppatch\it-IT\data.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:4252
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:3416
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:2104
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:224
      - C:\Windows\assembly\GAC\data.exe
        
        C:\Windows\assembly\GAC\data.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:2536
        
        C:\Windows\assembly\GAC\ADODB\System Restore.exe
        
        "C:\Windows\assembly\GAC\ADODB\System Restore.exe" C:\Windows\assembly\GAC\ADODB\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:2912
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3864
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:3944
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4764
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        
        PID:388
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3444
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\System Restore.exe
        
        "C:\Windows\assembly\GAC\Microsoft.StdFormat\System Restore.exe" C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        Drops file in Windows directory
        
        PID:3936
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4268
        
        C:\Windows\assembly\GAC\mscomctl\update.exe
        
        C:\Windows\assembly\GAC\mscomctl\update.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        Drops file in Windows directory
        
        PID:2288
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:4692
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        System policy modification
        
        PID:3848
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        Drops file in Windows directory
        
        PID:1756
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3840
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:5004
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Drops file in Windows directory
        
        PID:844
      - C:\Windows\Branding\Basebrd\data.exe
        
        C:\Windows\Branding\Basebrd\data.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        
        PID:2792
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:2060
- C:\Users\Admin\AppData\Local\Temp\1612688991\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1612688991\backup.exe C:\Users\Admin\AppData\Local\Temp\1612688991\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4516
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1568

C:\odt\backup.exe
C:\odt\backup.exe C:\odt\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files\7-Zip\backup.exe
  "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1784
- - C:\Program Files\7-Zip\Lang\backup.exe
    "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5116
- C:\Program Files\Common Files\backup.exe
  "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4732
- - C:\Program Files\Common Files\DESIGNER\backup.exe
    "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2016
- - C:\Program Files\Common Files\microsoft shared\backup.exe
    "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1172
  - - C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2084
    - - C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
    - - C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1168
    - - C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3220
    - - C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        5⤵
        
        PID:3404
    - - C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4884
    - - C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        5⤵
        
        PID:4548
  - - C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
      "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
      4⤵
      PID:2940
    - - C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\update.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        5⤵
        
        PID:376
  - - C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
      "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
      4⤵
      Disables RegEdit via registry modification
      PID:3528
  - - C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
      "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
      4⤵
      Disables RegEdit via registry modification
      PID:2496
  - - C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
      "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
      4⤵
      System policy modification
      PID:4192
  - - C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
      "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
      4⤵
      PID:2272
    - - C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2396
  - - C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
      "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
      4⤵
      PID:2912
    - - C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        5⤵
        
        PID:3024
  - - C:\Program Files\Common Files\microsoft shared\VC\backup.exe
      "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
      4⤵
      PID:5108
  - - C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
      "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
      4⤵
      System policy modification
      PID:4524
  - - C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
      "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2116
    - - C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2152
      - C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        6⤵
        
        PID:1600
- - C:\Program Files\Common Files\Services\backup.exe
    "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3804
- - C:\Program Files\Common Files\System\System Restore.exe
    "C:\Program Files\Common Files\System\System Restore.exe" C:\Program Files\Common Files\System\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2132
  - - C:\Program Files\Common Files\System\ado\backup.exe
      "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3400
    - - C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4628
    - - C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        5⤵
        
        PID:3068
    - - C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        5⤵
        Executes dropped EXE
        
        PID:4400
    - - C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        5⤵
        
        PID:3308
    - - C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        5⤵
        
        PID:1596
    - - C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        5⤵
        
        PID:3588
  - - C:\Program Files\Common Files\System\de-DE\backup.exe
      "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
      4⤵
      PID:3384
  - - C:\Program Files\Common Files\System\en-US\backup.exe
      "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
      4⤵
      System policy modification
      PID:744
  - - C:\Program Files\Common Files\System\es-ES\backup.exe
      "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
      4⤵
      PID:1508
  - - C:\Program Files\Common Files\System\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
      4⤵
      PID:840
  - - C:\Program Files\Common Files\System\it-IT\backup.exe
      "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
      4⤵
      PID:3932
  - - C:\Program Files\Common Files\System\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
      4⤵
      PID:4040
  - - C:\Program Files\Common Files\System\msadc\backup.exe
      "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
      4⤵
      Drops file in Program Files directory
      System policy modification
      PID:1908
    - - C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3744
    - - C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        5⤵
        
        PID:2116
    - - C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        5⤵
        System policy modification
        
        PID:4184
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3956
    - - C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        5⤵
        
        PID:1976
    - - C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3840
    - - C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        5⤵
        
        PID:5108
  - - C:\Program Files\Common Files\System\Ole DB\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
      4⤵
      PID:3616
    - - C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2820
    - - C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        5⤵
        
        PID:3680
    - - C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        5⤵
        
        PID:3700
    - - C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        5⤵
        
        PID:4592
    - - C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        5⤵
        
        PID:1180
- C:\Program Files\Google\backup.exe
  "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1924
- - C:\Program Files\Google\Chrome\backup.exe
    "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3616
  - - C:\Program Files\Google\Chrome\Application\backup.exe
      "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2476
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3540
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        6⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2868
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        6⤵
        
        PID:5112
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        6⤵
        
        PID:2016
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:3768
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        6⤵
        
        PID:3616
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        7⤵
        
        PID:4500
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        6⤵
        
        PID:1820
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        6⤵
        
        PID:3324
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        7⤵
        
        PID:3536
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        8⤵
        
        PID:2560
    - - C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        5⤵
        
        PID:1240
- C:\Program Files\Internet Explorer\backup.exe
  "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
  2⤵
  PID:1476
- - C:\Program Files\Internet Explorer\de-DE\backup.exe
    "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
    3⤵
    PID:4760
- - C:\Program Files\Internet Explorer\en-US\backup.exe
    "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
    3⤵
    - System policy modification
    PID:3936
- - C:\Program Files\Internet Explorer\es-ES\backup.exe
    "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
    3⤵
    PID:2832
- - C:\Program Files\Internet Explorer\fr-FR\backup.exe
    "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
    3⤵
    PID:3520
- - C:\Program Files\Internet Explorer\images\backup.exe
    "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
    3⤵
    PID:4688
- - C:\Program Files\Internet Explorer\it-IT\backup.exe
    "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4700
- - C:\Program Files\Internet Explorer\ja-JP\System Restore.exe
    "C:\Program Files\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files\Internet Explorer\ja-JP\
    3⤵
    PID:3356
- - C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe
    "C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files\Internet Explorer\SIGNUP\
    3⤵
    PID:4804
- C:\Program Files\Java\backup.exe
  "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:2812
- - C:\Program Files\Java\jdk-1.8\backup.exe
    "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
    3⤵
    - Drops file in Program Files directory
    PID:3944
  - - C:\Program Files\Java\jdk-1.8\bin\backup.exe
      "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
      4⤵
      System policy modification
      PID:4160
  - - C:\Program Files\Java\jdk-1.8\include\backup.exe
      "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
      4⤵
      PID:1128
    - - C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        5⤵
        
        PID:1376
      - C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        6⤵
        
        PID:4652
  - - C:\Program Files\Java\jdk-1.8\jre\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
      4⤵
      Drops file in Program Files directory
      System policy modification
      PID:3580
    - - C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        5⤵
        Drops file in Program Files directory
        
        PID:3208
      - C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\data.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\data.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:844
      - C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        6⤵
        
        PID:1176
      - C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3536
    - - C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3848
      - C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
        6⤵
        
        PID:3992
      - C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        6⤵
        
        PID:2652
    - - C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        5⤵
        
        PID:3092
      - C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        6⤵
        System policy modification
        
        PID:3328
      - C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        6⤵
        
        PID:5016
      - C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        6⤵
        
        PID:2480
      - C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        6⤵
        
        PID:4384
      - C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        6⤵
        System policy modification
        
        PID:1284
      - C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        6⤵
        
        PID:2932
      - C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        6⤵
        Drops file in Program Files directory
        
        PID:4140
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        7⤵
        
        PID:1632
      - C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3348
      - C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        6⤵
        
        PID:3212
      - C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        6⤵
        Disables RegEdit via registry modification
        
        PID:5000
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        7⤵
        Drops file in Program Files directory
        
        PID:4856
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
        8⤵
        
        PID:1392
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4356
  - - C:\Program Files\Java\jdk-1.8\legal\backup.exe
      "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      System policy modification
      PID:3444
    - - C:\Program Files\Java\jdk-1.8\legal\javafx\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\System Restore.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        5⤵
        
        PID:3352
    - - C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        5⤵
        
        PID:3984
  - - C:\Program Files\Java\jdk-1.8\lib\backup.exe
      "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4408
- - C:\Program Files\Java\jre-1.8\backup.exe
    "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
    3⤵
    - Drops file in Program Files directory
    PID:4840
  - - C:\Program Files\Java\jre-1.8\bin\backup.exe
      "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
      4⤵
      Drops file in Program Files directory
      PID:4884
    - - C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        5⤵
        
        PID:4592
    - - C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        5⤵
        
        PID:1924
    - - C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        5⤵
        
        PID:1548
  - - C:\Program Files\Java\jre-1.8\legal\backup.exe
      "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
      4⤵
      System policy modification
      PID:4748
    - - C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        5⤵
        
        PID:3540
    - - C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        5⤵
        
        PID:3348
  - - C:\Program Files\Java\jre-1.8\lib\backup.exe
      "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
      4⤵
      Disables RegEdit via registry modification
      PID:3112
    - - C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        5⤵
        
        PID:4852
    - - C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        5⤵
        
        PID:1388
    - - C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4700
    - - C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
        5⤵
        
        PID:4204
    - - C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5040
    - - C:\Program Files\Java\jre-1.8\lib\fonts\update.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\update.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        5⤵
        
        PID:1120
    - - C:\Program Files\Java\jre-1.8\lib\images\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
        5⤵
        
        PID:4924
      - C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
    - - C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
        5⤵
        
        PID:2176
    - - C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1616
    - - C:\Program Files\Java\jre-1.8\lib\security\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:208
      - C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
        6⤵
        
        PID:5072
- C:\Program Files\Microsoft Office\backup.exe
  "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
  2⤵
  - Drops file in Program Files directory
  PID:4536
- - C:\Program Files\Microsoft Office\Office16\backup.exe
    "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
    3⤵
    PID:4504
- - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
    "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
    3⤵
    PID:4448
- - C:\Program Files\Microsoft Office\root\backup.exe
    "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
    3⤵
    - Drops file in Program Files directory
    PID:2712
  - - C:\Program Files\Microsoft Office\root\Client\backup.exe
      "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
      4⤵
      Disables RegEdit via registry modification
      PID:4524
  - - C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
      "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
      4⤵
      PID:1368
    - - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        5⤵
        System policy modification
        
        PID:564
    - - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        5⤵
        
        PID:3604
    - - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4176
  - - C:\Program Files\Microsoft Office\root\fre\backup.exe
      "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
      4⤵
      PID:3844
  - - C:\Program Files\Microsoft Office\root\Integration\backup.exe
      "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
      4⤵
      PID:4244
    - - C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        5⤵
        
        PID:3208
  - - C:\Program Files\Microsoft Office\root\Licenses\backup.exe
      "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5048
  - - C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
      "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
      4⤵
      PID:3172
  - - C:\Program Files\Microsoft Office\root\loc\backup.exe
      "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2280
  - - C:\Program Files\Microsoft Office\root\Office15\backup.exe
      "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
      4⤵
      PID:4452
  - - C:\Program Files\Microsoft Office\root\Office16\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
      4⤵
      PID:4384
    - - C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        5⤵
        
        PID:2416
      - C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        6⤵
        
        PID:4040
      - C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        6⤵
        
        PID:2632
  - - C:\Program Files\Microsoft Office\root\rsod\backup.exe
      "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
      4⤵
      Disables RegEdit via registry modification
      PID:3648
  - - C:\Program Files\Microsoft Office\root\Templates\backup.exe
      "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
      4⤵
      PID:3792
    - - C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        5⤵
        
        PID:1236
      - C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        6⤵
        
        PID:376
- - C:\Program Files\Microsoft Office\Updates\backup.exe
    "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
    3⤵
    PID:3560
  - - C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
      "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
      4⤵
      PID:2512
    - - C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
        5⤵
        Drops file in Program Files directory
        
        PID:1352
      - C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF5576B0-6EBE-4693-8424-0687B10D8290\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF5576B0-6EBE-4693-8424-0687B10D8290\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF5576B0-6EBE-4693-8424-0687B10D8290\
        6⤵
        
        PID:220
  - - C:\Program Files\Microsoft Office\Updates\Download\backup.exe
      "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
      4⤵
      System policy modification
      PID:4996
    - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        5⤵
        
        PID:1536
      - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\
        6⤵
        
        PID:4688
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\
        7⤵
        
        PID:3556
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\vfs\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\vfs\
        8⤵
        Drops file in Program Files directory
        
        PID:4944
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\vfs\Windows\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DF5576B0-6EBE-4693-8424-0687B10D8290\root\vfs\Windows\
        9⤵
        
        PID:2420
- C:\Program Files\Microsoft Office 15\backup.exe
  "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
  2⤵
  - Drops file in Program Files directory
  PID:3304
- - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
    "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2060
- C:\Program Files\Mozilla Firefox\backup.exe
  "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
  2⤵
  PID:5072
- - C:\Program Files\Mozilla Firefox\browser\backup.exe
    "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5100
  - - C:\Program Files\Mozilla Firefox\browser\features\backup.exe
      "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
      4⤵
      System policy modification
      PID:112
  - - C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
      "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
      4⤵
      PID:2116
- - C:\Program Files\Mozilla Firefox\defaults\backup.exe
    "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
    3⤵
    PID:1460
  - - C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
      "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:3604
- - C:\Program Files\Mozilla Firefox\fonts\backup.exe
    "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
    3⤵
    - System policy modification
    PID:3936
- - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
    "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
    3⤵
    PID:3308
  - - C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
      "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
      4⤵
      PID:4500
- - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
    "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2932
- C:\Program Files\MSBuild\backup.exe
  "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4716
- - C:\Program Files\MSBuild\Microsoft\backup.exe
    "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
    3⤵
    - System policy modification
    PID:3168
  - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
      "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
      4⤵
      PID:3224
    - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        5⤵
        
        PID:2776
- C:\Program Files\Reference Assemblies\backup.exe
  "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:4428
- - C:\Program Files\Reference Assemblies\Microsoft\data.exe
    "C:\Program Files\Reference Assemblies\Microsoft\data.exe" C:\Program Files\Reference Assemblies\Microsoft\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4948
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
      4⤵
      Disables RegEdit via registry modification
      PID:4088
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        5⤵
        
        PID:564

C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4944

C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe
"C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:768

C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\et-EE\update.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4124

C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Program Files\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4872
- C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\System Restore.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2032
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\System Restore.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4908
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:5088
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4356
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1384
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
    3⤵
    PID:4316
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4852
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
    3⤵
    PID:4204
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
    3⤵
    PID:5016
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
    3⤵
    PID:4732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
    3⤵
    PID:4448
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
      4⤵
      PID:4696
- C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1020
- C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3980
- C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2936
- C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1108
- C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  PID:4756
- C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
  2⤵
  PID:5048
- C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
  2⤵
  PID:5052
- C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
  2⤵
  - Disables RegEdit via registry modification
  PID:4124
- C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
  2⤵
  PID:4480
- C:\Program Files\Common Files\microsoft shared\ink\lv-LV\data.exe
  "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\data.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
  2⤵
  PID:2512
- C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
  2⤵
  PID:4296
- C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4612
- C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
  2⤵
  PID:368
- C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
  2⤵
  PID:1536
- C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
  2⤵
  - Disables RegEdit via registry modification
  PID:1240
- C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
  2⤵
  PID:4296
- C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
  2⤵
  PID:1504
- C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
  2⤵
  PID:3064
- C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3596
- C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
  2⤵
  - Disables RegEdit via registry modification
  PID:2912
- C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
  2⤵
  PID:412
- C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
  2⤵
  - Disables RegEdit via registry modification
  PID:3404
- C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
  2⤵
  - System policy modification
  PID:4876
- C:\Program Files\Common Files\microsoft shared\ink\uk-UA\System Restore.exe
  "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
  2⤵
  PID:3160
- C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
  2⤵
  - System policy modification
  PID:3304
- C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
  2⤵
  - Disables RegEdit via registry modification
  PID:4752

C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:968

C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
79KB

MD5
ec963037eec1042b5506aea181cdcf4c

SHA1
2dd63e12db90dbc3d1646db0104ce1a704ba394f

SHA256
d1aded522975b349d13670313d0ce560bfd7877d3244cc2c5efcad4841c1a6d3

SHA512
9a8a143fc613adb7902bffdbb8a7bd4b9511d0add24af0e873fbc9847b50e9710d4b15780d28248b586c4f17b8318da17ac24de391b4f4cc45941f6270c640e7

Download Submit
C:\PerfLogs\backup.exe

Filesize
79KB

MD5
ec963037eec1042b5506aea181cdcf4c

SHA1
2dd63e12db90dbc3d1646db0104ce1a704ba394f

SHA256
d1aded522975b349d13670313d0ce560bfd7877d3244cc2c5efcad4841c1a6d3

SHA512
9a8a143fc613adb7902bffdbb8a7bd4b9511d0add24af0e873fbc9847b50e9710d4b15780d28248b586c4f17b8318da17ac24de391b4f4cc45941f6270c640e7

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
79KB

MD5
42f36bffbb9cd6803c3c29ac69d068ef

SHA1
6040ed18411d0c2919f78d85b7717a51be70a151

SHA256
03011ce615ddc26430310b525c3f0a3b153a0789495934a9a727e7d39b45463c

SHA512
40b5a18d3dcb620ed4c8f939d6a6b4b8b4f819ca1a902c18a3150dd817beb0d4dddd4e85e9c6362abe154b7adf9a4fe9c0efdaa251323931e061a4595c4534ec

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
79KB

MD5
42f36bffbb9cd6803c3c29ac69d068ef

SHA1
6040ed18411d0c2919f78d85b7717a51be70a151

SHA256
03011ce615ddc26430310b525c3f0a3b153a0789495934a9a727e7d39b45463c

SHA512
40b5a18d3dcb620ed4c8f939d6a6b4b8b4f819ca1a902c18a3150dd817beb0d4dddd4e85e9c6362abe154b7adf9a4fe9c0efdaa251323931e061a4595c4534ec

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
79KB

MD5
7b43ec70fb3c40fad8c8bc209024fb22

SHA1
b5a9c013607a76e39ff3fdb9e55c3c9bf204e7b8

SHA256
757b2c9abdee066ee2803bea742c4391c2a4a53f071285ca0195f62962d8f4bb

SHA512
313dbdf39e6bfe5550e15026396a14b6fe71c9acfde4900f00f03e129e57e2ca8f306337e02a61aed473a9c1620360b011e324270af7105cc69f742e32c4eab2

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
79KB

MD5
7b43ec70fb3c40fad8c8bc209024fb22

SHA1
b5a9c013607a76e39ff3fdb9e55c3c9bf204e7b8

SHA256
757b2c9abdee066ee2803bea742c4391c2a4a53f071285ca0195f62962d8f4bb

SHA512
313dbdf39e6bfe5550e15026396a14b6fe71c9acfde4900f00f03e129e57e2ca8f306337e02a61aed473a9c1620360b011e324270af7105cc69f742e32c4eab2

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
79KB

MD5
42f36bffbb9cd6803c3c29ac69d068ef

SHA1
6040ed18411d0c2919f78d85b7717a51be70a151

SHA256
03011ce615ddc26430310b525c3f0a3b153a0789495934a9a727e7d39b45463c

SHA512
40b5a18d3dcb620ed4c8f939d6a6b4b8b4f819ca1a902c18a3150dd817beb0d4dddd4e85e9c6362abe154b7adf9a4fe9c0efdaa251323931e061a4595c4534ec

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
79KB

MD5
42f36bffbb9cd6803c3c29ac69d068ef

SHA1
6040ed18411d0c2919f78d85b7717a51be70a151

SHA256
03011ce615ddc26430310b525c3f0a3b153a0789495934a9a727e7d39b45463c

SHA512
40b5a18d3dcb620ed4c8f939d6a6b4b8b4f819ca1a902c18a3150dd817beb0d4dddd4e85e9c6362abe154b7adf9a4fe9c0efdaa251323931e061a4595c4534ec

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
79KB

MD5
7b43ec70fb3c40fad8c8bc209024fb22

SHA1
b5a9c013607a76e39ff3fdb9e55c3c9bf204e7b8

SHA256
757b2c9abdee066ee2803bea742c4391c2a4a53f071285ca0195f62962d8f4bb

SHA512
313dbdf39e6bfe5550e15026396a14b6fe71c9acfde4900f00f03e129e57e2ca8f306337e02a61aed473a9c1620360b011e324270af7105cc69f742e32c4eab2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
79KB

MD5
7b43ec70fb3c40fad8c8bc209024fb22

SHA1
b5a9c013607a76e39ff3fdb9e55c3c9bf204e7b8

SHA256
757b2c9abdee066ee2803bea742c4391c2a4a53f071285ca0195f62962d8f4bb

SHA512
313dbdf39e6bfe5550e15026396a14b6fe71c9acfde4900f00f03e129e57e2ca8f306337e02a61aed473a9c1620360b011e324270af7105cc69f742e32c4eab2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
79KB

MD5
446da664e3151abb13e38ea2b3d6d29d

SHA1
35a11f969aeb6154485177e8348d863f6b24036a

SHA256
8a1620d6cfc24606dffa5aca8fe2e341b0486029e67b3c7899533a0ecd5ed324

SHA512
4391cd9ea02708daf232cc09515fed6d2608fe490d1b51e8588b58b1f77ce83217c3dd548e3fdf8414ad973c2c60e14129dba62b9006961076c01473f6dbd82a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
79KB

MD5
446da664e3151abb13e38ea2b3d6d29d

SHA1
35a11f969aeb6154485177e8348d863f6b24036a

SHA256
8a1620d6cfc24606dffa5aca8fe2e341b0486029e67b3c7899533a0ecd5ed324

SHA512
4391cd9ea02708daf232cc09515fed6d2608fe490d1b51e8588b58b1f77ce83217c3dd548e3fdf8414ad973c2c60e14129dba62b9006961076c01473f6dbd82a

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
79KB

MD5
42f36bffbb9cd6803c3c29ac69d068ef

SHA1
6040ed18411d0c2919f78d85b7717a51be70a151

SHA256
03011ce615ddc26430310b525c3f0a3b153a0789495934a9a727e7d39b45463c

SHA512
40b5a18d3dcb620ed4c8f939d6a6b4b8b4f819ca1a902c18a3150dd817beb0d4dddd4e85e9c6362abe154b7adf9a4fe9c0efdaa251323931e061a4595c4534ec

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
79KB

MD5
42f36bffbb9cd6803c3c29ac69d068ef

SHA1
6040ed18411d0c2919f78d85b7717a51be70a151

SHA256
03011ce615ddc26430310b525c3f0a3b153a0789495934a9a727e7d39b45463c

SHA512
40b5a18d3dcb620ed4c8f939d6a6b4b8b4f819ca1a902c18a3150dd817beb0d4dddd4e85e9c6362abe154b7adf9a4fe9c0efdaa251323931e061a4595c4534ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
79KB

MD5
eced1798c663ac876bd55c8c319da9e3

SHA1
077cf624d7da1d8382cf1dfbacfc6ccfd50b205d

SHA256
02cf2666791e46baff2e97f4bce33164e4cdae472c42741f09bb867b7fdf4581

SHA512
bc4dea94bc43797e9b7dfd8e0239c433966388d109e36ac331519ca4272534b42ecba2077624eb2ffcbc578e8c3d2e23327cdb25f9815990fed24f18373795f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
79KB

MD5
eced1798c663ac876bd55c8c319da9e3

SHA1
077cf624d7da1d8382cf1dfbacfc6ccfd50b205d

SHA256
02cf2666791e46baff2e97f4bce33164e4cdae472c42741f09bb867b7fdf4581

SHA512
bc4dea94bc43797e9b7dfd8e0239c433966388d109e36ac331519ca4272534b42ecba2077624eb2ffcbc578e8c3d2e23327cdb25f9815990fed24f18373795f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
79KB

MD5
446da664e3151abb13e38ea2b3d6d29d

SHA1
35a11f969aeb6154485177e8348d863f6b24036a

SHA256
8a1620d6cfc24606dffa5aca8fe2e341b0486029e67b3c7899533a0ecd5ed324

SHA512
4391cd9ea02708daf232cc09515fed6d2608fe490d1b51e8588b58b1f77ce83217c3dd548e3fdf8414ad973c2c60e14129dba62b9006961076c01473f6dbd82a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
79KB

MD5
446da664e3151abb13e38ea2b3d6d29d

SHA1
35a11f969aeb6154485177e8348d863f6b24036a

SHA256
8a1620d6cfc24606dffa5aca8fe2e341b0486029e67b3c7899533a0ecd5ed324

SHA512
4391cd9ea02708daf232cc09515fed6d2608fe490d1b51e8588b58b1f77ce83217c3dd548e3fdf8414ad973c2c60e14129dba62b9006961076c01473f6dbd82a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\data.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
79KB

MD5
0190959b330d03b23111e3252fc07c41

SHA1
a23d8098f40e68396ebd11c70cbf132bbb872833

SHA256
c4e5c5810b00da248a6f871d78e3b08260e1e0839138ec9b540a2c2e76d718c8

SHA512
6cc17b35ff64a84eebfd76b7355ab2904532edffedca5ac38a414774514ac1fc88247077da3eefce0b3057a2cdc4efbaf429d82084d9e258d5f57a93593ee361

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
79KB

MD5
ed1e83da737d144b10e591d352409180

SHA1
b35b67b11d724cff0d834caf31d6e2e20d028465

SHA256
7b20a6b8b854c47b72cf1c363783460bd57a31c45e6d38dbd49c340ab8bfd1b6

SHA512
5e674b4f1469921b3bcbb9d5b09c1e07b0c14163cfb44c8c49e5e078e27b76e138f6777e047746ae4c07269d24ae09c0af8f4a53a15db7ea0566451d2449fae6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
79KB

MD5
ed1e83da737d144b10e591d352409180

SHA1
b35b67b11d724cff0d834caf31d6e2e20d028465

SHA256
7b20a6b8b854c47b72cf1c363783460bd57a31c45e6d38dbd49c340ab8bfd1b6

SHA512
5e674b4f1469921b3bcbb9d5b09c1e07b0c14163cfb44c8c49e5e078e27b76e138f6777e047746ae4c07269d24ae09c0af8f4a53a15db7ea0566451d2449fae6

Download Submit
C:\Program Files\backup.exe

Filesize
79KB

MD5
ec963037eec1042b5506aea181cdcf4c

SHA1
2dd63e12db90dbc3d1646db0104ce1a704ba394f

SHA256
d1aded522975b349d13670313d0ce560bfd7877d3244cc2c5efcad4841c1a6d3

SHA512
9a8a143fc613adb7902bffdbb8a7bd4b9511d0add24af0e873fbc9847b50e9710d4b15780d28248b586c4f17b8318da17ac24de391b4f4cc45941f6270c640e7

Download Submit
C:\Program Files\backup.exe

Filesize
79KB

MD5
ec963037eec1042b5506aea181cdcf4c

SHA1
2dd63e12db90dbc3d1646db0104ce1a704ba394f

SHA256
d1aded522975b349d13670313d0ce560bfd7877d3244cc2c5efcad4841c1a6d3

SHA512
9a8a143fc613adb7902bffdbb8a7bd4b9511d0add24af0e873fbc9847b50e9710d4b15780d28248b586c4f17b8318da17ac24de391b4f4cc45941f6270c640e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1612688991\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1612688991\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1612688991\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
79KB

MD5
cd00cdf930edabbcd207474e46d63674

SHA1
f18e14c9e96512f53fcfb98b067f0d06d6060f8c

SHA256
7b9f2ad22a8461702f644312fbe862e715991ef170474b9be5ca1d5a5093f6b8

SHA512
6815b1bd714c84f7b6dced299c085a83386f4a86d08b96fa89cc568df2ca12b8b996ad57d2c50494fb3204748ea793d3c5f478bb6ee0f192f117142e1218e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
79KB

MD5
cd00cdf930edabbcd207474e46d63674

SHA1
f18e14c9e96512f53fcfb98b067f0d06d6060f8c

SHA256
7b9f2ad22a8461702f644312fbe862e715991ef170474b9be5ca1d5a5093f6b8

SHA512
6815b1bd714c84f7b6dced299c085a83386f4a86d08b96fa89cc568df2ca12b8b996ad57d2c50494fb3204748ea793d3c5f478bb6ee0f192f117142e1218e266

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
79KB

MD5
6fb7e73bc8fd41a0513b143d5a02add2

SHA1
a76dc8507373f95007baac26995f2f63d357e7e4

SHA256
8dbd6396acf507e150737ec9ce3ce22c919c074563622d3d8db141b171fc530d

SHA512
af0c63b1f2f06afe8b1b988b959ba16b7516daca9fa103d7dcd0b4c743e24c7b14a71329b420b9caa0083d682f37b2899d5c6d6017568697f92b3942a5cbfd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
79KB

MD5
6fb7e73bc8fd41a0513b143d5a02add2

SHA1
a76dc8507373f95007baac26995f2f63d357e7e4

SHA256
8dbd6396acf507e150737ec9ce3ce22c919c074563622d3d8db141b171fc530d

SHA512
af0c63b1f2f06afe8b1b988b959ba16b7516daca9fa103d7dcd0b4c743e24c7b14a71329b420b9caa0083d682f37b2899d5c6d6017568697f92b3942a5cbfd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

Filesize
79KB

MD5
c603ec1d82892e3a473ee415f4735052

SHA1
a3fd5802525900269b9f933dbcffc6ab35a6fc17

SHA256
9857ea97fb033b0fb4727e65fe863f7b8259ef94ae4be523abab45ba341ce2cc

SHA512
641a2ebcfb330bb5d849152ea68d86d7fa2534106d44c3578fded2e08712e04d2eb41fb44412bdfc20ee1bc428def6da09641de900cbe0cf3a7d9c6e34aeb6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
31KB

MD5
85a478e545f0565a9d01a7460bce3fb5

SHA1
ddf5447930b3a4f2ce097cf5ff91aac47efab8dd

SHA256
a4ab0aaccc80755ef4acbac287ceb2831ffb8af4de1a94ca9aa8e1225f2ddf61

SHA512
440bfb58833409d52d1b1551aa6a304a9c15040df0f0ccdbea4b1486d1d7fc4cefcf246dacd13c96e1bb3c9f37b7a3b85ab46076c5218b0a18fd4ba736ec60c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32A85F0C-CD71-4CC9-9055-2F9A813F8334}\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32A85F0C-CD71-4CC9-9055-2F9A813F8334}\backup.exe

Filesize
79KB

MD5
ab612659b01ab753de5dc833b1c5755e

SHA1
8645f98f3b624a18297dab4d4220df4884e5408a

SHA256
355e7758229511d09579a2ade7d42805de381f86764daba4c914735598b58474

SHA512
f950e51fceb13377b4fd01be43922a87d94d221004b707a9c3ec2dcfefffd476c7db538064519fe7417c32b8a973fcfe077fba205a30594fd4bf81f809a3d13b

Download Submit
C:\backup.exe

Filesize
79KB

MD5
232659cfc590baa205c8b3b5030ab1cd

SHA1
c09d6da4056d3e7a2267f0be386a95f9c71d9270

SHA256
6c1c203c3a1bc1043000685038f1aaf1ef0c836bba56555079d9b140019adf69

SHA512
0d622dfe3ddbeff66279358fd8e7c3c075e75426260ea12d0314fbbe1062ed3076161fe292b3fb841e1259bf5e7bb34141e012c8e8136546583721c8d098e9e2

Download Submit
C:\backup.exe

Filesize
79KB

MD5
232659cfc590baa205c8b3b5030ab1cd

SHA1
c09d6da4056d3e7a2267f0be386a95f9c71d9270

SHA256
6c1c203c3a1bc1043000685038f1aaf1ef0c836bba56555079d9b140019adf69

SHA512
0d622dfe3ddbeff66279358fd8e7c3c075e75426260ea12d0314fbbe1062ed3076161fe292b3fb841e1259bf5e7bb34141e012c8e8136546583721c8d098e9e2

Download Submit
C:\odt\backup.exe

Filesize
79KB

MD5
25b5edf61e8982e134650b521f70fcff

SHA1
4486b77a5b70de4683f51a8776c6c35213390e0e

SHA256
ccb52f40dda28a8f9e8b7f577bc0e070dbfc60f1ccfcb1c8fd3c77d797486d27

SHA512
4869b8f267df8462920d834ccdec2843712e6ac6ca9f2e54fc46655f5b2a10c4fa42fa85c8560b55b3177bd3289eba606a5dd85c891f5ed373f3bab2222ac09d

Download Submit
C:\odt\backup.exe

Filesize
79KB

MD5
25b5edf61e8982e134650b521f70fcff

SHA1
4486b77a5b70de4683f51a8776c6c35213390e0e

SHA256
ccb52f40dda28a8f9e8b7f577bc0e070dbfc60f1ccfcb1c8fd3c77d797486d27

SHA512
4869b8f267df8462920d834ccdec2843712e6ac6ca9f2e54fc46655f5b2a10c4fa42fa85c8560b55b3177bd3289eba606a5dd85c891f5ed373f3bab2222ac09d

Download Submit
memory/688-94-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/768-240-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/884-80-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/968-77-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1020-313-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1056-196-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1108-394-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1168-367-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1228-314-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1384-391-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1516-174-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1568-84-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1708-259-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1712-162-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1768-58-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1784-136-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1912-44-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1924-443-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2004-442-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2016-149-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2340-102-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2396-342-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2612-456-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2800-51-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2868-425-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2936-366-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3068-459-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3104-395-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3220-396-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3328-307-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3328-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3404-427-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3588-446-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3616-447-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3628-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3628-441-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3804-296-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3980-328-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4088-244-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4124-249-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4316-423-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4356-368-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4400-411-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4516-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4628-397-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4704-254-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4732-444-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4756-224-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4756-426-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4760-210-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4828-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4840-182-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4884-457-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4908-286-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4908-272-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4944-189-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5004-264-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5016-203-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5048-461-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5072-217-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5088-340-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5100-309-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5112-460-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5116-135-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads