ad947110ba97c0e2cc44cc201ea2c5438820c0286db911d92bd36f43bfd8ea43

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
Size

447KB
MD5

e9a9c09e827051e1b775a4e2daff0b70
SHA1

a3996bd3b37e73ea8365c47f70287d8d599650ed
SHA256

ad947110ba97c0e2cc44cc201ea2c5438820c0286db911d92bd36f43bfd8ea43
SHA512

78d07741b7a6360082f870250587d55ffd6125bdb13469c369fa9867274348f798b885e080ddbdcd23e1f5edad46e273f565cdd907c9c4dfc864bc7f483e94a1
SSDEEP

768:CpQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEm3:CeT7BVwxfvLFwjR3

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 59 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe

Executes dropped EXE 63 IoCs

pid	Process
4972	backup.exe
3088	backup.exe
924	backup.exe
2332	backup.exe
3996	backup.exe
1120	backup.exe
2120	System Restore.exe
4508	backup.exe
4880	backup.exe
4480	data.exe
3692	backup.exe
2924	backup.exe
1312	backup.exe
3748	backup.exe
1992	backup.exe
4004	backup.exe
852	backup.exe
2016	backup.exe
2260	backup.exe
5092	backup.exe
3872	backup.exe
2300	backup.exe
3116	backup.exe
4284	backup.exe
2384	backup.exe
4532	backup.exe
5020	update.exe
1908	backup.exe
4088	backup.exe
600	backup.exe
4472	backup.exe
2240	backup.exe
4444	backup.exe
1836	backup.exe
4496	backup.exe
4300	backup.exe
4816	backup.exe
3840	backup.exe
1156	backup.exe
2224	backup.exe
1936	data.exe
1048	update.exe
5004	backup.exe
4028	backup.exe
2744	backup.exe
4936	update.exe
4752	System Restore.exe
4364	backup.exe
4248	backup.exe
756	backup.exe
1300	backup.exe
1896	backup.exe
3708	backup.exe
4276	backup.exe
4268	backup.exe
5012	backup.exe
2000	backup.exe
2384	backup.exe
4616	backup.exe
5020	backup.exe
2568	backup.exe
1720	backup.exe
1356	Process not Found

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4144-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e70-7.dat	upx
behavioral2/files/0x0007000000022e70-6.dat	upx
behavioral2/files/0x0007000000022e72-12.dat	upx
behavioral2/files/0x0007000000022e72-13.dat	upx
behavioral2/files/0x0007000000022e72-11.dat	upx
behavioral2/files/0x0008000000022e73-18.dat	upx
behavioral2/memory/924-21-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e74-26.dat	upx
behavioral2/files/0x0007000000022e74-27.dat	upx
behavioral2/files/0x0008000000022e73-20.dat	upx
behavioral2/memory/2332-34-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e76-39.dat	upx
behavioral2/files/0x0007000000022e76-40.dat	upx
behavioral2/files/0x0008000000022e75-33.dat	upx
behavioral2/files/0x0008000000022e75-32.dat	upx
behavioral2/memory/3088-19-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1120-51-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4144-52-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e77-50.dat	upx
behavioral2/files/0x0007000000022e7a-60.dat	upx
behavioral2/files/0x0008000000022e7b-63.dat	upx
behavioral2/memory/4508-65-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e7b-64.dat	upx
behavioral2/files/0x0008000000022e7c-75.dat	upx
behavioral2/files/0x0008000000022e7d-80.dat	upx
behavioral2/memory/4480-79-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e7c-78.dat	upx
behavioral2/memory/4972-77-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3692-92-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e80-95.dat	upx
behavioral2/files/0x0007000000022e80-94.dat	upx
behavioral2/memory/924-90-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e7e-88.dat	upx
behavioral2/files/0x0007000000022e82-102.dat	upx
behavioral2/files/0x0009000000022e83-108.dat	upx
behavioral2/files/0x0009000000022e83-106.dat	upx
behavioral2/memory/3996-105-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e7f-117.dat	upx
behavioral2/memory/2120-121-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e87-123.dat	upx
behavioral2/files/0x0007000000022e87-122.dat	upx
behavioral2/memory/2924-119-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2016-130-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x000a000000022e81-136.dat	upx
behavioral2/files/0x000a000000022e81-138.dat	upx
behavioral2/files/0x0007000000022e90-144.dat	upx
behavioral2/files/0x0006000000022e93-148.dat	upx
behavioral2/files/0x0006000000022e93-149.dat	upx
behavioral2/files/0x0007000000022e96-161.dat	upx
behavioral2/memory/2300-163-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e96-162.dat	upx
behavioral2/memory/1312-159-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e97-173.dat	upx
behavioral2/memory/3116-175-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e99-177.dat	upx
behavioral2/files/0x0006000000022e99-176.dat	upx
behavioral2/memory/3996-169-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000022e9a-186.dat	upx
behavioral2/files/0x0007000000022e9b-192.dat	upx
behavioral2/files/0x0007000000022e9b-191.dat	upx
behavioral2/memory/852-190-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4532-189-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e9e-199.dat	upx

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
4972	backup.exe
3088	backup.exe
924	backup.exe
2332	backup.exe
3996	backup.exe
1120	backup.exe
2120	System Restore.exe
4508	backup.exe
4880	backup.exe
4480	data.exe
3692	backup.exe
2924	backup.exe
1312	backup.exe
3748	backup.exe
1992	backup.exe
4004	backup.exe
852	backup.exe
2016	backup.exe
2260	backup.exe
5092	backup.exe
3872	backup.exe
2300	backup.exe
3116	backup.exe
4284	backup.exe
2384	backup.exe
4532	backup.exe
1908	backup.exe
5020	update.exe
4088	backup.exe
600	backup.exe
2240	backup.exe
4472	backup.exe
4444	backup.exe
1836	backup.exe
4496	backup.exe
4300	backup.exe
4816	backup.exe
3840	backup.exe
2224	backup.exe
1156	backup.exe
1048	update.exe
1936	data.exe
5004	backup.exe
4028	backup.exe
2744	backup.exe
4936	update.exe
4752	System Restore.exe
4364	backup.exe
756	backup.exe
4248	backup.exe
1896	backup.exe
1300	backup.exe
3708	backup.exe
4276	backup.exe
4268	backup.exe
5012	backup.exe
2000	backup.exe
4616	backup.exe
2384	backup.exe
2568	backup.exe
5020	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4972	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	86
PID 4144 wrote to memory of 4972	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	86
PID 4144 wrote to memory of 4972	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	86
PID 4144 wrote to memory of 3088	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	91
PID 4144 wrote to memory of 3088	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	91
PID 4144 wrote to memory of 3088	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	91
PID 4144 wrote to memory of 924	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	90
PID 4144 wrote to memory of 924	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	90
PID 4144 wrote to memory of 924	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	90
PID 4144 wrote to memory of 2332	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	87
PID 4144 wrote to memory of 2332	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	87
PID 4144 wrote to memory of 2332	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	87
PID 4144 wrote to memory of 3996	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	88
PID 4144 wrote to memory of 3996	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	88
PID 4144 wrote to memory of 3996	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	88
PID 4144 wrote to memory of 1120	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	89
PID 4144 wrote to memory of 1120	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	89
PID 4144 wrote to memory of 1120	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	89
PID 4972 wrote to memory of 2120	4972	backup.exe	133
PID 4972 wrote to memory of 2120	4972	backup.exe	133
PID 4972 wrote to memory of 2120	4972	backup.exe	133
PID 4144 wrote to memory of 4508	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	92
PID 4144 wrote to memory of 4508	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	92
PID 4144 wrote to memory of 4508	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	92
PID 2120 wrote to memory of 4880	2120	System Restore.exe	132
PID 2120 wrote to memory of 4880	2120	System Restore.exe	132
PID 2120 wrote to memory of 4880	2120	System Restore.exe	132
PID 4144 wrote to memory of 4480	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	129
PID 4144 wrote to memory of 4480	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	129
PID 4144 wrote to memory of 4480	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	129
PID 2120 wrote to memory of 3692	2120	System Restore.exe	128
PID 2120 wrote to memory of 3692	2120	System Restore.exe	128
PID 2120 wrote to memory of 3692	2120	System Restore.exe	128
PID 4144 wrote to memory of 2924	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	93
PID 4144 wrote to memory of 2924	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	93
PID 4144 wrote to memory of 2924	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	93
PID 2120 wrote to memory of 1312	2120	System Restore.exe	127
PID 2120 wrote to memory of 1312	2120	System Restore.exe	127
PID 2120 wrote to memory of 1312	2120	System Restore.exe	127
PID 2924 wrote to memory of 3748	2924	backup.exe	94
PID 2924 wrote to memory of 3748	2924	backup.exe	94
PID 2924 wrote to memory of 3748	2924	backup.exe	94
PID 3748 wrote to memory of 1992	3748	backup.exe	208
PID 3748 wrote to memory of 1992	3748	backup.exe	208
PID 3748 wrote to memory of 1992	3748	backup.exe	208
PID 1312 wrote to memory of 4004	1312	backup.exe	121
PID 1312 wrote to memory of 4004	1312	backup.exe	121
PID 1312 wrote to memory of 4004	1312	backup.exe	121
PID 4144 wrote to memory of 852	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	95
PID 4144 wrote to memory of 852	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	95
PID 4144 wrote to memory of 852	4144	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	95
PID 4004 wrote to memory of 2016	4004	backup.exe	120
PID 4004 wrote to memory of 2016	4004	backup.exe	120
PID 4004 wrote to memory of 2016	4004	backup.exe	120
PID 852 wrote to memory of 2260	852	backup.exe	119
PID 852 wrote to memory of 2260	852	backup.exe	119
PID 852 wrote to memory of 2260	852	backup.exe	119
PID 1312 wrote to memory of 5092	1312	backup.exe	96
PID 1312 wrote to memory of 5092	1312	backup.exe	96
PID 1312 wrote to memory of 5092	1312	backup.exe	96
PID 2260 wrote to memory of 3872	2260	backup.exe	118
PID 2260 wrote to memory of 3872	2260	backup.exe	118
PID 2260 wrote to memory of 3872	2260	backup.exe	118
PID 5092 wrote to memory of 2300	5092	backup.exe	117

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4144
- C:\Users\Admin\AppData\Local\Temp\{0F4E9933-CE5B-4E95-9D37-28E031478774}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{0F4E9933-CE5B-4E95-9D37-28E031478774}\backup.exe C:\Users\Admin\AppData\Local\Temp\{0F4E9933-CE5B-4E95-9D37-28E031478774}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4972
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2120
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:4756
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:3408
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4268
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        
        PID:5020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:1796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:3360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:2760
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:4704
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        
        PID:4808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        
        PID:116
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:5076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:3552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:4812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:2308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:1848
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        10⤵
        
        PID:4852
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        11⤵
        
        PID:2192
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        10⤵
        
        PID:3648
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        11⤵
        
        PID:816
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        10⤵
        
        PID:860
        
        C:\Windows\assembly\GAC\Extensibility\System Restore.exe
        
        "C:\Windows\assembly\GAC\Extensibility\System Restore.exe" C:\Windows\assembly\GAC\Extensibility\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4752
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        10⤵
        
        PID:60
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        11⤵
        
        PID:2528
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        10⤵
        
        PID:3524
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        11⤵
        
        PID:2076
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:4696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2568
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:5000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:3296
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:4404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:3080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        
        PID:1260
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:1308
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:2932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:4752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:3384
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        9⤵
        
        PID:824
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:4660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:380
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:3052
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:4220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:3996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:2016
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:3128
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:1256
      - C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
        6⤵
        
        PID:4364
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        7⤵
        
        PID:1228
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        8⤵
        
        PID:640
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        8⤵
        
        PID:3396
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        8⤵
        
        PID:616
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        8⤵
        
        PID:2980
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        8⤵
        
        PID:2904
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        8⤵
        
        PID:2840
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2312
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:5048
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:5108
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:3416
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:672
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:3900
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        8⤵
        
        PID:3996
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        
        PID:3460
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        
        PID:4668
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:2328
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        
        PID:2064
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        
        PID:4460
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:4992
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        
        PID:1920
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:2428
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:1192
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        
        PID:3944
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:820
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:4220
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        8⤵
        
        PID:2072
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        
        PID:3592
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:4948
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:4768
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        
        PID:4812
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:3524
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2472
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:4668
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:2924
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:1788
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:448
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:4220
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1256
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
        7⤵
        
        PID:3872
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
        8⤵
        
        PID:2996
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        9⤵
        
        PID:1364
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
        8⤵
        
        PID:4360
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        9⤵
        
        PID:3188
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
        9⤵
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
        9⤵
        
        PID:720
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        9⤵
        
        PID:3880
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:4564
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2364
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1684
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:4028
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2736
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:4640
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:4764
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:2916
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:4776
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:4536
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:4464
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:4776
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:2120
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:3548
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:316
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:3328
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4028
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:4000
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:2984
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:2480
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:3032
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:376
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2328
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:2496
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:972
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:392
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\data.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\data.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\
        9⤵
        
        PID:3328
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:220
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1752
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:4428
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2132
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:4392
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3536
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:4224
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:2936
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:3696
        
        C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{5D02C9B9-7A41-4ABC-8923-E3E11EEC098C}\
        8⤵
        
        PID:3184
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:116
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:5092
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:716
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:4172
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:5092
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:3928
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:4868
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:3596
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:1488
      - C:\Program Files (x86)\Internet Explorer\it-IT\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\data.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:4244
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        
        PID:3004
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        
        PID:4432
      - C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\
        6⤵
        
        PID:2452
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\
        7⤵
        
        PID:1072
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\
        8⤵
        
        PID:4432
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x64\
        9⤵
        
        PID:3648
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\EBWebView\x86\
        9⤵
        
        PID:1460
        
        C:\Windows\Globalization\ELS\backup.exe
        
        C:\Windows\Globalization\ELS\backup.exe C:\Windows\Globalization\ELS\
        10⤵
        
        PID:4232
        
        C:\Windows\Globalization\ELS\Transliteration\backup.exe
        
        C:\Windows\Globalization\ELS\Transliteration\backup.exe C:\Windows\Globalization\ELS\Transliteration\
        11⤵
        
        PID:1176
        
        C:\Windows\Globalization\ICU\backup.exe
        
        C:\Windows\Globalization\ICU\backup.exe C:\Windows\Globalization\ICU\
        10⤵
        
        PID:2496
        
        C:\Windows\Globalization\Sorting\backup.exe
        
        C:\Windows\Globalization\Sorting\backup.exe C:\Windows\Globalization\Sorting\
        10⤵
        
        PID:600
        
        C:\Windows\Globalization\Time Zone\backup.exe
        
        "C:\Windows\Globalization\Time Zone\backup.exe" C:\Windows\Globalization\Time Zone\
        10⤵
        
        PID:3840
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\BHO\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\BHO\
        8⤵
        
        PID:3988
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\edge_feedback\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\edge_feedback\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\edge_feedback\
        8⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Extensions\
        8⤵
        
        PID:220
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\
        8⤵
        
        PID:4016
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win11\
        9⤵
        
        PID:3848
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\identity_proxy\win10\
        9⤵
        
        PID:3084
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Installer\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Installer\
        8⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Locales\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Locales\
        8⤵
        
        PID:3116
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\MEIPreload\
        8⤵
        
        PID:3028
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Notifications\
        8⤵
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\PdfPreview\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\PdfPreview\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\PdfPreview\
        8⤵
        
        PID:3840
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\
        8⤵
        
        PID:5008
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Mu\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Mu\update.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Mu\
        9⤵
        
        PID:3200
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\Trust Protection Lists\Sigma\
        9⤵
        
        PID:2328
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\VisualElements\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\VisualElements\update.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\VisualElements\
        8⤵
        
        PID:3348
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\
        8⤵
        
        PID:3648
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\
        9⤵
        
        PID:4460
        
        C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\win_x64\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\win_x64\update.exe" C:\Program Files (x86)\Microsoft\EdgeCore\118.0.2088.57\WidevineCdm\_platform_specific\win_x64\
        10⤵
        
        PID:3420
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\
        6⤵
        
        PID:5044
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.177.11\
        7⤵
        
        PID:2496
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\
        7⤵
        
        PID:1896
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        
        PID:60
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.177.11\
        9⤵
        
        PID:3924
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\
        7⤵
        
        PID:3328
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\data.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\data.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\
        8⤵
        
        PID:3880
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4144D4F1-B7D3-4764-B96B-1DD2F4562087}\EDGEMITMP_F9E5D.tmp\
        9⤵
        
        PID:4092
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\
        7⤵
        
        PID:1608
      - C:\Program Files (x86)\Microsoft\EdgeWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\
        6⤵
        
        PID:2812
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\
        7⤵
        
        PID:844
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\
        8⤵
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\BHO\data.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\BHO\data.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\BHO\
        9⤵
        
        PID:4056
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\
        9⤵
        
        PID:4860
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x64\
        10⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\EBWebView\x86\
        10⤵
        
        PID:624
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\edge_feedback\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\edge_feedback\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\edge_feedback\
        9⤵
        
        PID:3732
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Extensions\
        9⤵
        
        PID:1776
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\
        9⤵
        
        PID:2436
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win11\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win11\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win11\
        10⤵
        
        PID:4764
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Installer\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Installer\
        9⤵
        
        PID:3048
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Locales\
        9⤵
        
        PID:1640
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:1080
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\MEIPreload\
        9⤵
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\Notifications\
        9⤵
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\PdfPreview\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\PdfPreview\System Restore.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\PdfPreview\
        9⤵
        
        PID:4428
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\ResiliencyLinks\
        9⤵
        
        PID:3880
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\update.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\update.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\
        8⤵
        
        PID:2244
      - C:\Program Files (x86)\Microsoft\Temp\data.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\data.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:4132
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:1672
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:816
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:3212
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:4088
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:5080
      - C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
        6⤵
        
        PID:3660
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\update.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\update.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:2456
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:316
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:4140
    - - C:\Program Files (x86)\Reference Assemblies\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\backup.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:4764
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
        6⤵
        
        PID:4568
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
        7⤵
        
        PID:2528
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:3300
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        
        PID:1244
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\
        10⤵
        
        PID:888
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:5068
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        
        PID:3008
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\update.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\update.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:3144
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        9⤵
        
        PID:4028
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\
        9⤵
        
        PID:1064
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        
        PID:3084
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:4232
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:4316
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        9⤵
        
        PID:4340
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\291910c52afc6a4c83bd042f709c7e57\
        10⤵
        
        PID:4872
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\47e786300d57b2248515da5569427c4e\
        10⤵
        
        PID:3656
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\
        10⤵
        
        PID:3648
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f334dca9ae9dc06224e9b43875b3aa90\
        10⤵
        
        PID:4556
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\
        9⤵
        
        PID:2320
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        9⤵
        
        PID:3420
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\data.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\data.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        9⤵
        
        PID:5092
    - - C:\Program Files (x86)\Windows Defender\System Restore.exe
        
        "C:\Program Files (x86)\Windows Defender\System Restore.exe" C:\Program Files (x86)\Windows Defender\
        5⤵
        
        PID:3796
      - C:\Program Files (x86)\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\backup.exe" C:\Program Files (x86)\Windows Defender\de-DE\
        6⤵
        
        PID:984
      - C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\backup.exe" C:\Program Files (x86)\Windows Defender\fr-FR\
        6⤵
        
        PID:860
      - C:\Program Files (x86)\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\backup.exe" C:\Program Files (x86)\Windows Defender\it-IT\
        6⤵
        
        PID:4680
      - C:\Program Files (x86)\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\backup.exe" C:\Program Files (x86)\Windows Defender\es-ES\
        6⤵
        
        PID:1644
      - C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\backup.exe" C:\Program Files (x86)\Windows Defender\ja-JP\
        6⤵
        
        PID:1196
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Windows Media Player\System Restore.exe
        
        "C:\Program Files (x86)\Windows Media Player\System Restore.exe" C:\Program Files (x86)\Windows Media Player\
        5⤵
        
        PID:3488
      - C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\de-DE\backup.exe" C:\Program Files (x86)\Windows Media Player\de-DE\
        6⤵
        
        PID:4336
      - C:\Program Files (x86)\Windows Media Player\en-US\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\en-US\backup.exe" C:\Program Files (x86)\Windows Media Player\en-US\
        6⤵
        
        PID:4956
      - C:\Program Files (x86)\Windows Media Player\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\es-ES\backup.exe" C:\Program Files (x86)\Windows Media Player\es-ES\
        6⤵
        
        PID:3408
      - C:\Program Files (x86)\Windows Media Player\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\fr-FR\backup.exe" C:\Program Files (x86)\Windows Media Player\fr-FR\
        6⤵
        
        PID:1364
      - C:\Program Files (x86)\Windows Media Player\it-IT\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\backup.exe" C:\Program Files (x86)\Windows Media Player\it-IT\
        6⤵
        
        PID:3416
      - C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\backup.exe" C:\Program Files (x86)\Windows Media Player\ja-JP\
        6⤵
        
        PID:1732
      - C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\backup.exe" C:\Program Files (x86)\Windows Media Player\Media Renderer\
        6⤵
        
        PID:4968
    - - C:\Program Files (x86)\Windows Multimedia Platform\backup.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\backup.exe" C:\Program Files (x86)\Windows Multimedia Platform\
        5⤵
        
        PID:2204
    - - C:\Program Files (x86)\Windows NT\backup.exe
        
        "C:\Program Files (x86)\Windows NT\backup.exe" C:\Program Files (x86)\Windows NT\
        5⤵
        
        PID:1504
      - C:\Program Files (x86)\Windows NT\Accessories\backup.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\backup.exe" C:\Program Files (x86)\Windows NT\Accessories\
        6⤵
        
        PID:2804
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\backup.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\backup.exe" C:\Program Files (x86)\Windows NT\Accessories\en-US\
        7⤵
        
        PID:1756
      - C:\Program Files (x86)\Windows NT\TableTextService\backup.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\backup.exe" C:\Program Files (x86)\Windows NT\TableTextService\
        6⤵
        
        PID:2040
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1776
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:4764
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:4276
        
        C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\
        7⤵
        
        PID:1308
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2280
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2228
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2184
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:4988
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2196
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4868
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        
        PID:3988
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:444
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4860
      - C:\Windows\appcompat\encapsulation\backup.exe
        
        C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:3356
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:3792
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:3812
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:2260
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        
        PID:3328
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe
        
        C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:924
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:4020
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:4364
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:4876
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:5048
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:3656
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:3476
      - C:\Windows\apppatch\ja-JP\data.exe
        
        C:\Windows\apppatch\ja-JP\data.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:4436
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:1712
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:2916
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2480
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        
        PID:2012
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe
        
        C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:1444
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:888
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:4480
        
        C:\Windows\Branding\Basebrd\fr-FR\System Restore.exe
        
        "C:\Windows\Branding\Basebrd\fr-FR\System Restore.exe" C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:3656
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:3356
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:376
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:2232
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2332
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:2224
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        
        PID:3996
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1988
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:1048
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:1660
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:3636
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2040
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:4732
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\
        7⤵
        
        PID:740
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4632
        
        C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\
        9⤵
        
        PID:2360
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\backup.exe C:\Windows\assembly\GAC_64\MSBuild\
        7⤵
        
        PID:4948
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4688
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\backup.exe C:\Windows\assembly\GAC_64\mscorlib\
        7⤵
        
        PID:5044
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\
        8⤵
        
        PID:2304
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_64\PresentationCore\backup.exe C:\Windows\assembly\GAC_64\PresentationCore\
        7⤵
        
        PID:1244
        
        C:\Windows\assembly\GAC_64\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\backup.exe C:\Windows\assembly\GAC_64\srmlib\
        7⤵
        
        PID:2468
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2016
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_64\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_64\System.Data.OracleClient\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5020
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_64\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_64\System.EnterpriseServices\
        7⤵
        
        PID:1640
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:4916
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\data.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\data.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        
        PID:1248
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3372
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\
        7⤵
        
        PID:4812
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:4000
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\
        7⤵
        
        PID:4684
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a\
        8⤵
        
        PID:1684
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_de_b03f5f7f11d50a3a\
        8⤵
        
        PID:3848
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\
        8⤵
        
        PID:3008
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\
        8⤵
        
        PID:2952
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_it_b03f5f7f11d50a3a\
        8⤵
        
        PID:1752
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
        7⤵
        
        PID:1156
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\
        7⤵
        
        PID:1308
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\data.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\data.exe C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2840
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:544
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\
        7⤵
        
        PID:3452
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\06e4ead630bb224419e9830affdafb8c\
        8⤵
        
        PID:4424
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\
        8⤵
        
        PID:2368
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a3a54d1c0d022e4ccf266b954fe01230\
        8⤵
        
        PID:3892
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0db851c73d11018ad4b5a4d0d4be2e36\
        8⤵
        
        PID:184
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\
        7⤵
        
        PID:1308
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\
        7⤵
        
        PID:4572
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\0c596f320c82d9ea5d0b5a6362a0750a\
        8⤵
        
        PID:308
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4276
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5012
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\
        7⤵
        
        PID:4392
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:4564
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\
        7⤵
        
        PID:2896
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\3526cd5a741d8cbdf5fa48b7f6fe88d3\
        8⤵
        
        PID:2932
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\
        7⤵
        
        PID:852
      - C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\
        6⤵
        
        PID:2736
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:1608
    - - C:\Windows\Containers\backup.exe
        
        C:\Windows\Containers\backup.exe C:\Windows\Containers\
        5⤵
        
        PID:392
      - C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        6⤵
        
        PID:3872
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:4556
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4616
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:1892
    - - C:\Windows\DiagTrack\update.exe
        
        C:\Windows\DiagTrack\update.exe C:\Windows\DiagTrack\
        5⤵
        
        PID:3988
      - C:\Windows\DiagTrack\Scenarios\update.exe
        
        C:\Windows\DiagTrack\Scenarios\update.exe C:\Windows\DiagTrack\Scenarios\
        6⤵
        
        PID:4556
      - C:\Windows\DiagTrack\Settings\backup.exe
        
        C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\
        6⤵
        
        PID:4660
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:2932
      - C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        
        PID:4872
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:4236
    - - C:\Windows\es-ES\System Restore.exe
        
        "C:\Windows\es-ES\System Restore.exe" C:\Windows\es-ES\
        5⤵
        
        PID:1156
      - C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\
        6⤵
        
        PID:1928
    - - C:\Windows\Fonts\backup.exe
        
        C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
        5⤵
        
        PID:3920
    - - C:\Windows\GameBarPresenceWriter\backup.exe
        
        C:\Windows\GameBarPresenceWriter\backup.exe C:\Windows\GameBarPresenceWriter\
        5⤵
        
        PID:3876
    - - C:\Windows\fr-FR\backup.exe
        
        C:\Windows\fr-FR\backup.exe C:\Windows\fr-FR\
        5⤵
        
        PID:4100
    - - C:\Windows\Help\System Restore.exe
        
        "C:\Windows\Help\System Restore.exe" C:\Windows\Help\
        5⤵
        
        PID:972
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3996
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1120
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:924
- C:\Users\Admin\AppData\Local\Temp\2445145824\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2445145824\backup.exe C:\Users\Admin\AppData\Local\Temp\2445145824\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3088
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      PID:1992
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2260
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4480
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_847672536\CRX_INSTALL\
    3⤵
    PID:4688

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5092
- C:\Program Files\Common Files\microsoft shared\backup.exe
  "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4284
- - C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4532
- - C:\Program Files\Common Files\microsoft shared\ink\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1908
  - - C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:5004
  - - C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2744
  - - C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
      4⤵
      PID:4364
  - - C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
      4⤵
      PID:756
  - - C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
      4⤵
      PID:1300
  - - C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
      4⤵
      PID:4276
  - - C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe
      "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
      4⤵
      PID:5012
  - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
      4⤵
      PID:2384
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        5⤵
        
        PID:2568
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        5⤵
        
        PID:1356
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        5⤵
        
        PID:1796
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        5⤵
        
        PID:1044
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        5⤵
        
        PID:3604
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        5⤵
        
        PID:3328
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        5⤵
        
        PID:2332
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        5⤵
        
        PID:2072
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        5⤵
        
        PID:1936
    - - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        5⤵
        
        PID:4172
  - - C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
      4⤵
      PID:5096
  - - C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
      4⤵
      PID:2708
  - - C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
      4⤵
      PID:2812
  - - C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
      4⤵
      PID:2340
  - - C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
      4⤵
      PID:2312
  - - C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe
      "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
      4⤵
      PID:1628
  - - C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
      4⤵
      PID:4100
  - - C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
      4⤵
      PID:4508
  - - C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
      4⤵
      PID:3156
  - - C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
      4⤵
      PID:4224
  - - C:\Program Files\Common Files\microsoft shared\ink\nb-NO\data.exe
      "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
      4⤵
      PID:1608
  - - C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
      4⤵
      PID:4640
  - - C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
      4⤵
      PID:2332
    - - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        5⤵
        
        PID:4708
      - C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        6⤵
        
        PID:948
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:2944
      - C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        6⤵
        
        PID:2236
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        7⤵
        
        PID:3292
      - C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        6⤵
        
        PID:1788
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        7⤵
        
        PID:4632
      - C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        6⤵
        
        PID:2360
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:4340
      - C:\Windows\assembly\GAC_32\MSBuild\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\
        6⤵
        
        PID:624
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:1432
      - C:\Windows\assembly\GAC_32\mscorlib\data.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\data.exe C:\Windows\assembly\GAC_32\mscorlib\
        6⤵
        
        PID:1752
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\
        7⤵
        
        PID:2052
      - C:\Windows\assembly\GAC_32\PresentationCore\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\
        6⤵
        
        PID:4436
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\
        7⤵
        
        PID:1308
      - C:\Windows\assembly\GAC_32\srmlib\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\backup.exe C:\Windows\assembly\GAC_32\srmlib\
        6⤵
        
        PID:516
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\
        7⤵
        
        PID:3128
      - C:\Windows\assembly\GAC_32\System.Data\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\backup.exe C:\Windows\assembly\GAC_32\System.Data\
        6⤵
        
        PID:3024
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\
        7⤵
        
        PID:1328
      - C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\
        6⤵
        
        PID:4252
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\
        7⤵
        
        PID:4140
      - C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\
        6⤵
        
        PID:3900
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:4968
      - C:\Windows\assembly\GAC_32\System.Printing\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Printing\backup.exe C:\Windows\assembly\GAC_32\System.Printing\
        6⤵
        
        PID:820
      - C:\Windows\assembly\GAC_32\System.Web\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\backup.exe C:\Windows\assembly\GAC_32\System.Web\
        6⤵
        
        PID:1916
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:3068
    - - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        5⤵
        
        PID:1848
      - C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        6⤵
        
        PID:716
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        7⤵
        
        PID:1228
  - - C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
      4⤵
      PID:380
  - - C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
      4⤵
      PID:4856
  - - C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
      4⤵
      PID:2924
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        5⤵
        
        PID:4968
  - - C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
      4⤵
      PID:4396
  - - C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
      4⤵
      PID:3592
  - - C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
      4⤵
      PID:1796
  - - C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
      4⤵
      PID:4808
  - - C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
      4⤵
      PID:2708
  - - C:\Program Files\Common Files\microsoft shared\ink\th-TH\update.exe
      "C:\Program Files\Common Files\microsoft shared\ink\th-TH\update.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
      4⤵
      PID:4020
  - - C:\Program Files\Common Files\microsoft shared\ink\tr-TR\update.exe
      "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
      4⤵
      PID:4812
  - - C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
      4⤵
      PID:3084
  - - C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
      4⤵
      PID:4872
  - - C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
      "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
      4⤵
      PID:3356
- - C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
    "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
    3⤵
    PID:2660
  - - C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
      4⤵
      PID:4232
  - - C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
      4⤵
      PID:1368
  - - C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
      4⤵
      PID:3932
  - - C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
      4⤵
      PID:1252
  - - C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
      4⤵
      PID:1712
    - - C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        5⤵
        
        PID:3236
  - - C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
      "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
      4⤵
      PID:3696
- - C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
    "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
    3⤵
    PID:3084
  - - C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
      "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
      4⤵
      PID:4048
- - C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
    "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2224
- - C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
    "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
    3⤵
    PID:1008
- - C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
    "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
    3⤵
    PID:3416
- - C:\Program Files\Common Files\microsoft shared\TextConv\data.exe
    "C:\Program Files\Common Files\microsoft shared\TextConv\data.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
    3⤵
    PID:1712
- - C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
    "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
    3⤵
    PID:1584
  - - C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
      "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
      4⤵
      PID:852
- - C:\Program Files\Common Files\microsoft shared\VC\backup.exe
    "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
    3⤵
    PID:1256
- - C:\Program Files\Common Files\microsoft shared\VGX\update.exe
    "C:\Program Files\Common Files\microsoft shared\VGX\update.exe" C:\Program Files\Common Files\microsoft shared\VGX\
    3⤵
    PID:516
- - C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
    "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
    3⤵
    PID:3880
- C:\Program Files\Common Files\DESIGNER\backup.exe
  "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2300
- C:\Program Files\Common Files\Services\backup.exe
  "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
  2⤵
  PID:316
- C:\Program Files\Common Files\System\backup.exe
  "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
  2⤵
  PID:3572
- - C:\Program Files\Common Files\System\ado\backup.exe
    "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4472
  - - C:\Program Files\Common Files\System\ado\de-DE\backup.exe
      "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
      4⤵
      PID:2360
  - - C:\Program Files\Common Files\System\ado\en-US\backup.exe
      "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
      4⤵
      PID:4520
  - - C:\Program Files\Common Files\System\ado\es-ES\backup.exe
      "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1992
  - - C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
      4⤵
      PID:3032
  - - C:\Program Files\Common Files\System\ado\it-IT\backup.exe
      "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
      4⤵
      PID:516
  - - C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
      4⤵
      PID:1592
- - C:\Program Files\Common Files\System\de-DE\backup.exe
    "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
    3⤵
    PID:4308
- - C:\Program Files\Common Files\System\en-US\backup.exe
    "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
    3⤵
    PID:4536
- - C:\Program Files\Common Files\System\es-ES\backup.exe
    "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
    3⤵
    PID:860
  - - C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe
      "C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\System Restore.exe" C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
      4⤵
      PID:4812
- - C:\Program Files\Common Files\System\fr-FR\backup.exe
    "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
    3⤵
    PID:4688
- - C:\Program Files\Common Files\System\it-IT\backup.exe
    "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
    3⤵
    PID:640
- - C:\Program Files\Common Files\System\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
    3⤵
    PID:60
- - C:\Program Files\Common Files\System\msadc\backup.exe
    "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
    3⤵
    PID:2244
  - - C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
      "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
      4⤵
      PID:2260
  - - C:\Program Files\Common Files\System\msadc\en-US\backup.exe
      "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
      4⤵
      PID:3708
  - - C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
      "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
      4⤵
      PID:1892
  - - C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
      "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
      4⤵
      PID:1444
  - - C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
      4⤵
      PID:2028
  - - C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
      4⤵
      PID:2360
    - - C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
        5⤵
        
        PID:2428
- - C:\Program Files\Common Files\System\Ole DB\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
    3⤵
    PID:2340
  - - C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
      4⤵
      PID:4688
  - - C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
      4⤵
      PID:432
  - - C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
      4⤵
      PID:1936
  - - C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
      4⤵
      PID:3148
  - - C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
      4⤵
      PID:2480
  - - C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
      4⤵
      PID:3924

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3116

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\
1⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:600

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
1⤵
PID:1836

C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
1⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\el\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4496

C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
1⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\update.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\en_US\
1⤵
PID:4816

C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es_419\
1⤵
PID:1048

C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-GB\data.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
1⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\es\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1156

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\de\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2240

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
1⤵
PID:4472

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4088

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\
1⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3872
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\et\
  2⤵
  PID:4028
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\update.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\eu\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fi\
  2⤵
  PID:4752
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fil\
  2⤵
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr\
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\fr_CA\
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\update.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\update.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gl\
  2⤵
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\gu\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\data.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\data.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hr\
  2⤵
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\hu\
  2⤵
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\is\
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\it\
  2⤵
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\iw\
  2⤵
  PID:888
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ja\
  2⤵
  PID:3536
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ka\
  2⤵
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\kk\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\km\
  2⤵
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ko\
  2⤵
  PID:1684
- - C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
    3⤵
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lo\
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\lt\
  2⤵
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ml\
  2⤵
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\data.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\data.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mn\
  2⤵
  PID:4764
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\mr\
  2⤵
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ms\
  2⤵
  PID:3108
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\my\
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ne\
  2⤵
  PID:3452
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\nl\
  2⤵
  PID:544
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\no\
  2⤵
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\pt_BR\
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ro\
  2⤵
  PID:3548
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\si\
  2⤵
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sk\
  2⤵
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sl\
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sr\
  2⤵
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ta\
  2⤵
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\sv\
  2⤵
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\th\
  2⤵
  PID:432
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ur\
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\vi\
  2⤵
  PID:720
- C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\zh_CN\
  2⤵
  PID:2368

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2016

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1312
- C:\Program Files\Google\backup.exe
  "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
  2⤵
  PID:1896
- - C:\Program Files\Google\Chrome\backup.exe
    "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
    3⤵
    PID:3048
  - - C:\Program Files\Google\Chrome\Application\backup.exe
      "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
      4⤵
      PID:2932
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1836
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        6⤵
        
        PID:1444
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        6⤵
        
        PID:2304
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        6⤵
        
        PID:3708
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        6⤵
        
        PID:2916
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        6⤵
        
        PID:1552
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        6⤵
        
        PID:4816
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        6⤵
        
        PID:4092
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        7⤵
        
        PID:3356
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2384
    - - C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        5⤵
        
        PID:2944
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        6⤵
        
        PID:3028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
        7⤵
        
        PID:360
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
        8⤵
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        9⤵
        
        PID:1176
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        9⤵
        
        PID:2896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
        7⤵
        
        PID:4940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
        8⤵
        
        PID:2352
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        9⤵
        
        PID:3548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        9⤵
        
        PID:3876
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
        7⤵
        
        PID:2008
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
        6⤵
        
        PID:532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
        7⤵
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        8⤵
        
        PID:4868
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
        9⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
        7⤵
        
        PID:628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
        7⤵
        
        PID:1784
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
        7⤵
        
        PID:3032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
        8⤵
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
        9⤵
        
        PID:4036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
        7⤵
        
        PID:4532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        8⤵
        
        PID:4668
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
        9⤵
        
        PID:1308
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
        6⤵
        
        PID:2660
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
        7⤵
        
        PID:4132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        8⤵
        
        PID:3160
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
        9⤵
        
        PID:3080
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
        10⤵
        
        PID:3032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
        10⤵
        
        PID:916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
        10⤵
        
        PID:4172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
        10⤵
        
        PID:3696
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
        10⤵
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
        10⤵
        
        PID:3144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
        10⤵
        
        PID:4000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
        10⤵
        
        PID:2984
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
        10⤵
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
        10⤵
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
        10⤵
        
        PID:532
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
        10⤵
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
        10⤵
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
        10⤵
        
        PID:3440
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
        10⤵
        
        PID:2496
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
        10⤵
        
        PID:2328
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\
        10⤵
        
        PID:1368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\
        10⤵
        
        PID:5036
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\
        10⤵
        
        PID:5056
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\
        10⤵
        
        PID:3692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\
        10⤵
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\
        10⤵
        
        PID:3980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\
        10⤵
        
        PID:3156
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\
        10⤵
        
        PID:4632
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
        7⤵
        
        PID:1708
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        8⤵
        
        PID:948
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
        7⤵
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        8⤵
        
        PID:4480
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        9⤵
        
        PID:672
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        10⤵
        
        PID:3512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        10⤵
        
        PID:4776
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\
        10⤵
        
        PID:4200
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\
        10⤵
        
        PID:1144
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\
        10⤵
        
        PID:4464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\
        10⤵
        
        PID:1896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\
        10⤵
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\
        10⤵
        
        PID:2304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\
        10⤵
        
        PID:60
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\
        10⤵
        
        PID:2040
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\
        10⤵
        
        PID:3108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\
        10⤵
        
        PID:4736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\
        10⤵
        
        PID:4960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\
        10⤵
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
        7⤵
        
        PID:4968
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        8⤵
        
        PID:600
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        9⤵
        
        PID:4540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\
        10⤵
        
        PID:1300
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\
        10⤵
        
        PID:4004
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\
        10⤵
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\
        10⤵
        
        PID:4528
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\
        10⤵
        
        PID:4856
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\
        10⤵
        
        PID:2916
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\
        10⤵
        
        PID:3512
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\
        10⤵
        
        PID:1472
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\
        10⤵
        
        PID:3952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
        7⤵
        
        PID:3812
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\
        8⤵
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\
        9⤵
        
        PID:2232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\
        8⤵
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\
        9⤵
        
        PID:2772
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
        7⤵
        
        PID:2232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\
        7⤵
        
        PID:4464
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\
        8⤵
        
        PID:788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\
        9⤵
        
        PID:4572
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\
        9⤵
        
        PID:184
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\
        9⤵
        
        PID:2528
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\backup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\
    3⤵
    PID:3552
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\update.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\update.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\118.0.2088.57\
      4⤵
      PID:3444
- C:\Program Files\Internet Explorer\backup.exe
  "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
  2⤵
  PID:4160
- - C:\Program Files\Internet Explorer\de-DE\backup.exe
    "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
    3⤵
    PID:4640
- - C:\Program Files\Internet Explorer\en-US\backup.exe
    "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:756
- - C:\Program Files\Internet Explorer\es-ES\backup.exe
    "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
    3⤵
    PID:2812
- - C:\Program Files\Internet Explorer\fr-FR\backup.exe
    "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
    3⤵
    PID:2040
- - C:\Program Files\Internet Explorer\images\backup.exe
    "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Program Files\Internet Explorer\it-IT\backup.exe
    "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
    3⤵
    PID:2352
- - C:\Program Files\Internet Explorer\ja-JP\backup.exe
    "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
    3⤵
    PID:1052
- - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
    "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
    3⤵
    PID:5108
- C:\Program Files\Java\backup.exe
  "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
  2⤵
  PID:4960
- - C:\Program Files\Java\jdk-1.8\backup.exe
    "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
    3⤵
    PID:984
  - - C:\Program Files\Java\jdk-1.8\bin\System Restore.exe
      "C:\Program Files\Java\jdk-1.8\bin\System Restore.exe" C:\Program Files\Java\jdk-1.8\bin\
      4⤵
      PID:1788
  - - C:\Program Files\Java\jdk-1.8\include\System Restore.exe
      "C:\Program Files\Java\jdk-1.8\include\System Restore.exe" C:\Program Files\Java\jdk-1.8\include\
      4⤵
      PID:1504
    - - C:\Program Files\Java\jdk-1.8\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        5⤵
        
        PID:544
      - C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        6⤵
        
        PID:4768
  - - C:\Program Files\Java\jdk-1.8\jre\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
      4⤵
      PID:2520
    - - C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        5⤵
        
        PID:1788
      - C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        6⤵
        
        PID:1256
      - C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        6⤵
        
        PID:3996
      - C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        6⤵
        
        PID:1052
    - - C:\Program Files\Java\jdk-1.8\jre\legal\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\update.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        5⤵
        
        PID:4764
      - C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
        6⤵
        
        PID:1608
      - C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        6⤵
        
        PID:4812
    - - C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        5⤵
        
        PID:3048
      - C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        6⤵
        
        PID:4844
      - C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        6⤵
        
        PID:4056
      - C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        6⤵
        
        PID:2660
      - C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        6⤵
        
        PID:1612
      - C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        6⤵
        
        PID:916
      - C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        6⤵
        
        PID:3772
        
        C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        7⤵
        
        PID:4916
      - C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        6⤵
        
        PID:3980
      - C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        6⤵
        
        PID:5092
      - C:\Program Files\Java\jdk-1.8\jre\lib\security\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        6⤵
        
        PID:4732
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        7⤵
        
        PID:3424
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
        8⤵
        
        PID:2984
        
        C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
        8⤵
        
        PID:1612
      - C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        6⤵
        
        PID:5048
  - - C:\Program Files\Java\jdk-1.8\legal\backup.exe
      "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
      4⤵
      PID:1912
    - - C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        5⤵
        
        PID:4396
    - - C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        5⤵
        
        PID:640
  - - C:\Program Files\Java\jdk-1.8\lib\backup.exe
      "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
      4⤵
      PID:1196
- - C:\Program Files\Java\jre-1.8\backup.exe
    "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
    3⤵
    PID:2552
  - - C:\Program Files\Java\jre-1.8\bin\backup.exe
      "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
      4⤵
      PID:4692
    - - C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        5⤵
        
        PID:1344
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        6⤵
        
        PID:2552
    - - C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        5⤵
        
        PID:3732
    - - C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        5⤵
        
        PID:2480
  - - C:\Program Files\Java\jre-1.8\legal\backup.exe
      "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
      4⤵
      PID:3024
    - - C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        5⤵
        
        PID:3772
    - - C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        5⤵
        
        PID:2472
  - - C:\Program Files\Java\jre-1.8\lib\backup.exe
      "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4248
    - - C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        5⤵
        
        PID:1428
    - - C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
        5⤵
        
        PID:2472
    - - C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
        5⤵
        
        PID:2072
    - - C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
        5⤵
        
        PID:3548
    - - C:\Program Files\Java\jre-1.8\lib\images\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
        5⤵
        
        PID:2360
    - - C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
        5⤵
        
        PID:1628
    - - C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        5⤵
        
        PID:2132
    - - C:\Program Files\Java\jre-1.8\lib\management\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
        5⤵
        
        PID:776
    - - C:\Program Files\Java\jre-1.8\lib\security\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
        5⤵
        
        PID:2896
      - C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
        6⤵
        
        PID:3848
        
        C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
        7⤵
        
        PID:2436
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win10\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win10\backup.exe" C:\Program Files (x86)\Microsoft\EdgeWebView\Application\118.0.2088.57\identity_proxy\win10\
        8⤵
        
        PID:1708
    - - C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
        5⤵
        
        PID:4648
- C:\Program Files\Microsoft Office\backup.exe
  "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
  2⤵
  PID:3392
- - C:\Program Files\Microsoft Office\Office16\backup.exe
    "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
    3⤵
    PID:4576
- - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
    "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
    3⤵
    PID:4708
  - - C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
      C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
      4⤵
      PID:3604
    - - C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        5⤵
        
        PID:4644
- - C:\Program Files\Microsoft Office\root\backup.exe
    "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
    3⤵
    PID:3748
  - - C:\Program Files\Microsoft Office\root\Client\backup.exe
      "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
      4⤵
      PID:916
  - - C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
      "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
      4⤵
      PID:4016
    - - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        5⤵
        
        PID:4088
    - - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        5⤵
        
        PID:60
    - - C:\Program Files\Microsoft Office\Updates\Download\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
        5⤵
        
        PID:4948
      - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        6⤵
        
        PID:4424
    - - C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        5⤵
        
        PID:4344
  - - C:\Program Files\Microsoft Office\root\Licenses\System Restore.exe
      "C:\Program Files\Microsoft Office\root\Licenses\System Restore.exe" C:\Program Files\Microsoft Office\root\Licenses\
      4⤵
      PID:4644
  - - C:\Program Files\Microsoft Office\root\loc\backup.exe
      "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
      4⤵
      PID:4092
  - - C:\Program Files\Microsoft Office\root\Office15\backup.exe
      "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
      4⤵
      PID:4128
  - - C:\Program Files\Microsoft Office\root\Office16\backup.exe
      "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
      4⤵
      PID:1692
    - - C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        5⤵
        
        PID:2236
      - C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        6⤵
        
        PID:2184
      - C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        6⤵
        
        PID:4800
      - C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        6⤵
        
        PID:3444
    - - C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        5⤵
        
        PID:3200
    - - C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        5⤵
        
        PID:4852
    - - C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        5⤵
        
        PID:4768
      - C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        6⤵
        
        PID:816
      - C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\
        6⤵
        
        PID:1356
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\
        7⤵
        
        PID:888
      - C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\
        6⤵
        
        PID:4100
      - C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\
        6⤵
        
        PID:3604
      - C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\update.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\
        6⤵
        
        PID:2360
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\
        7⤵
        
        PID:3472
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\
        7⤵
        
        PID:1928
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\
        7⤵
        
        PID:2300
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\
        8⤵
        
        PID:2304
    - - C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        5⤵
        
        PID:3796
    - - C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\
        5⤵
        
        PID:3408
      - C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\
        6⤵
        
        PID:5036
      - C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\
        6⤵
        
        PID:4336
    - - C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\BORDERS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\BORDERS\
        5⤵
        
        PID:1888
    - - C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Configuration\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Configuration\
        5⤵
        
        PID:736
    - - C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\
        5⤵
        
        PID:2236
      - C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\
        6⤵
        
        PID:228
        
        C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\update.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\update.exe" C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\
        7⤵
        
        PID:4744
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:3788
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f14\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f14\
        5⤵
        
        PID:3356
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f3\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f3\
        5⤵
        
        PID:2368
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f2\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f2\
        5⤵
        
        PID:1080
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f33\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f33\
        5⤵
        
        PID:2292
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_f7\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_f7\
        5⤵
        
        PID:2840
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\
        5⤵
        
        PID:8
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\
        5⤵
        
        PID:2304
    - - C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\backup.exe" C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\
        5⤵
        
        PID:3996
  - - C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
      "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
      4⤵
      PID:4172
    - - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        5⤵
        
        PID:2280
  - - C:\Program Files\Microsoft Office\root\Integration\backup.exe
      "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
      4⤵
      PID:3408
  - - C:\Program Files\Microsoft Office\root\fre\backup.exe
      "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
      4⤵
      PID:4344
  - - C:\Program Files\Microsoft Office\root\rsod\backup.exe
      "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
      4⤵
      PID:2996
  - - C:\Program Files\Microsoft Office\root\Templates\backup.exe
      "C:\Program Files\Microsoft Office\root\Templates\backup.exe" C:\Program Files\Microsoft Office\root\Templates\
      4⤵
      PID:4856
    - - C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        5⤵
        
        PID:2064
      - C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\
        6⤵
        
        PID:5064
      - C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\
        6⤵
        
        PID:2052
    - - C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\backup.exe" C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\
        5⤵
        
        PID:1844
  - - C:\Program Files\Microsoft Office\root\vfs\backup.exe
      "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
      4⤵
      PID:2724
    - - C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\
        5⤵
        
        PID:748
      - C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\
        6⤵
        
        PID:4232
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\
        7⤵
        
        PID:3416
        
        C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\
        8⤵
        
        PID:3356
      - C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\
        6⤵
        
        PID:4696
    - - C:\Program Files\Microsoft Office\root\vfs\Fonts\data.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\data.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\
        5⤵
        
        PID:4164
      - C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\Fonts\private\backup.exe" C:\Program Files\Microsoft Office\root\vfs\Fonts\private\
        6⤵
        
        PID:2472
    - - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\
        5⤵
        
        PID:2228
      - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\
        6⤵
        
        PID:2812
      - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\
        6⤵
        
        PID:3748
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\
        7⤵
        
        PID:1552
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\
        8⤵
        
        PID:4880
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\
        7⤵
        
        PID:4808
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\
        7⤵
        
        PID:1428
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\
        7⤵
        
        PID:1196
      - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\
        6⤵
        
        PID:4532
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\
        7⤵
        
        PID:4956
    - - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\
        5⤵
        
        PID:4720
      - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\
        6⤵
        
        PID:1488
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\System Restore.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\System Restore.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\
        7⤵
        
        PID:2472
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\
        7⤵
        
        PID:4236
        
        C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\backup.exe" C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\
        8⤵
        
        PID:4952
  - - C:\Program Files\Microsoft Office\root\vreg\backup.exe
      "C:\Program Files\Microsoft Office\root\vreg\backup.exe" C:\Program Files\Microsoft Office\root\vreg\
      4⤵
      PID:5020
- - C:\Program Files\Microsoft Office\Updates\backup.exe
    "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
    3⤵
    PID:4016
  - - C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
      "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
      4⤵
      PID:776
- C:\Program Files\Microsoft Office 15\backup.exe
  "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
  2⤵
  PID:2936
- - C:\Program Files\Microsoft Office 15\ClientX64\data.exe
    "C:\Program Files\Microsoft Office 15\ClientX64\data.exe" C:\Program Files\Microsoft Office 15\ClientX64\
    3⤵
    PID:4228
- C:\Program Files\Mozilla Firefox\backup.exe
  "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
  2⤵
  PID:2228
- - C:\Program Files\Mozilla Firefox\browser\data.exe
    "C:\Program Files\Mozilla Firefox\browser\data.exe" C:\Program Files\Mozilla Firefox\browser\
    3⤵
    PID:1196
  - - C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
      "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
      4⤵
      PID:3184
  - - C:\Program Files\Mozilla Firefox\browser\features\backup.exe
      "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
      4⤵
      PID:3328
- - C:\Program Files\Mozilla Firefox\defaults\backup.exe
    "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
    3⤵
    PID:4212
- - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
    "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
    3⤵
    PID:2496
  - - C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\update.exe
      "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\update.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1048
    - - C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        5⤵
        
        PID:4132
- - C:\Program Files\Mozilla Firefox\fonts\data.exe
    "C:\Program Files\Mozilla Firefox\fonts\data.exe" C:\Program Files\Mozilla Firefox\fonts\
    3⤵
    PID:448
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
      4⤵
      PID:4732
- - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
    "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
    3⤵
    PID:5108
- C:\Program Files\MSBuild\backup.exe
  "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
  2⤵
  PID:3596
- - C:\Program Files\MSBuild\Microsoft\backup.exe
    "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
    3⤵
    PID:4832
- C:\Program Files\Reference Assemblies\backup.exe
  "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
  2⤵
  PID:4056
- - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
    "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
    3⤵
    PID:5056
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4364
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        5⤵
        
        PID:1344
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        6⤵
        
        PID:1368
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        6⤵
        
        PID:4456
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        6⤵
        
        PID:3772
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        6⤵
        
        PID:5008
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        6⤵
        
        PID:3172
- C:\Program Files\VideoLAN\backup.exe
  "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
  2⤵
  PID:4340
- - C:\Program Files\VideoLAN\VLC\backup.exe
    "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
    3⤵
    PID:1988
  - - C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
      "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
      4⤵
      PID:316
  - - C:\Program Files\VideoLAN\VLC\locale\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
      4⤵
      PID:3600
    - - C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        5⤵
        
        PID:1260
      - C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        6⤵
        
        PID:2328
    - - C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        5⤵
        
        PID:1612
      - C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        6⤵
        
        PID:2468
    - - C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        5⤵
        
        PID:3492
    - - C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        5⤵
        
        PID:5072
      - C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        6⤵
        
        PID:3656
    - - C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        5⤵
        
        PID:4000
      - C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        6⤵
        
        PID:3496
    - - C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        5⤵
        
        PID:4208
    - - C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        5⤵
        
        PID:2292
      - C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        6⤵
        
        PID:4776
    - - C:\Program Files\VideoLAN\VLC\locale\az\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\az\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\
        5⤵
        
        PID:5004
  - - C:\Program Files\VideoLAN\VLC\lua\backup.exe
      "C:\Program Files\VideoLAN\VLC\lua\backup.exe" C:\Program Files\VideoLAN\VLC\lua\
      4⤵
      PID:4768
    - - C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe" C:\Program Files\VideoLAN\VLC\lua\extensions\
        5⤵
        
        PID:1524
    - - C:\Program Files\VideoLAN\VLC\lua\http\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\System Restore.exe" C:\Program Files\VideoLAN\VLC\lua\http\
        5⤵
        
        PID:2580
      - C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\images\
        6⤵
        
        PID:3476
      - C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\js\
        6⤵
        
        PID:3440
      - C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\requests\
        6⤵
        
        PID:740
    - - C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\
        5⤵
        
        PID:2808
      - C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\modules\
        6⤵
        
        PID:1892
    - - C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\
        5⤵
        
        PID:820
  - - C:\Program Files\VideoLAN\VLC\plugins\backup.exe
      "C:\Program Files\VideoLAN\VLC\plugins\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\
      4⤵
      PID:2244
    - - C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access\
        5⤵
        
        PID:4660
    - - C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access_output\
        5⤵
        
        PID:2016
      - C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\00194bf840ef92b2565b539f29704dc8\
        6⤵
        
        PID:1244
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_filter\
        5⤵
        
        PID:3088
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_output\
        5⤵
        
        PID:3508
    - - C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\codec\
        5⤵
        
        PID:844
- C:\Program Files\Windows Defender\backup.exe
  "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
  2⤵
  PID:3216
- - C:\Program Files\Windows Defender\de-DE\backup.exe
    "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
    3⤵
    PID:504
- - C:\Program Files\Windows Defender\fr-FR\backup.exe
    "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
    3⤵
    PID:3604
- - C:\Program Files\Windows Defender\es-ES\backup.exe
    "C:\Program Files\Windows Defender\es-ES\backup.exe" C:\Program Files\Windows Defender\es-ES\
    3⤵
    PID:4496
- - C:\Program Files\Windows Defender\it-IT\backup.exe
    "C:\Program Files\Windows Defender\it-IT\backup.exe" C:\Program Files\Windows Defender\it-IT\
    3⤵
    PID:4468
- - C:\Program Files\Windows Defender\ja-JP\backup.exe
    "C:\Program Files\Windows Defender\ja-JP\backup.exe" C:\Program Files\Windows Defender\ja-JP\
    3⤵
    PID:4816
- C:\Program Files\Windows Mail\backup.exe
  "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
  2⤵
  PID:1328
- C:\Program Files\Windows Media Player\backup.exe
  "C:\Program Files\Windows Media Player\backup.exe" C:\Program Files\Windows Media Player\
  2⤵
  PID:3184
- - C:\Program Files\Windows Media Player\de-DE\backup.exe
    "C:\Program Files\Windows Media Player\de-DE\backup.exe" C:\Program Files\Windows Media Player\de-DE\
    3⤵
    PID:3988
- - C:\Program Files\Windows Media Player\en-US\backup.exe
    "C:\Program Files\Windows Media Player\en-US\backup.exe" C:\Program Files\Windows Media Player\en-US\
    3⤵
    PID:1328
- - C:\Program Files\Windows Media Player\fr-FR\backup.exe
    "C:\Program Files\Windows Media Player\fr-FR\backup.exe" C:\Program Files\Windows Media Player\fr-FR\
    3⤵
    PID:4224
- - C:\Program Files\Windows Media Player\it-IT\backup.exe
    "C:\Program Files\Windows Media Player\it-IT\backup.exe" C:\Program Files\Windows Media Player\it-IT\
    3⤵
    PID:2392
- - C:\Program Files\Windows Media Player\ja-JP\backup.exe
    "C:\Program Files\Windows Media Player\ja-JP\backup.exe" C:\Program Files\Windows Media Player\ja-JP\
    3⤵
    PID:3024
- C:\Program Files\Windows Multimedia Platform\backup.exe
  "C:\Program Files\Windows Multimedia Platform\backup.exe" C:\Program Files\Windows Multimedia Platform\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1300

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3692

C:\odt\backup.exe
C:\odt\backup.exe C:\odt\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
1⤵
PID:2580
- C:\Users\Admin\3D Objects\backup.exe
  "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
  2⤵
  PID:4364
- C:\Users\Admin\Contacts\backup.exe
  C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
  2⤵
  PID:2340
- C:\Users\Admin\Desktop\backup.exe
  C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
  2⤵
  PID:228
- C:\Users\Admin\Documents\backup.exe
  C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
  2⤵
  PID:3536
- - C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
    "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
    3⤵
    PID:1788
  - - C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
      "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
      4⤵
      PID:376
- C:\Users\Admin\Downloads\backup.exe
  C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
  2⤵
  PID:720
- C:\Users\Admin\Favorites\backup.exe
  C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
  2⤵
  PID:1488
- C:\Users\Admin\Links\System Restore.exe
  "C:\Users\Admin\Links\System Restore.exe" C:\Users\Admin\Links\
  2⤵
  PID:4232
- C:\Users\Admin\Music\backup.exe
  C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
  2⤵
  PID:1672
- - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
    "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
    3⤵
    PID:844
- C:\Users\Admin\OneDrive\backup.exe
  C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
  2⤵
  PID:924
- C:\Users\Admin\Pictures\backup.exe
  C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
  2⤵
  PID:4336
- - C:\Users\Admin\Pictures\Saved Pictures\backup.exe
    "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
    3⤵
    PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\data.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\data.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
      4⤵
      PID:3372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        5⤵
        
        PID:812
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        6⤵
        
        PID:1196
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        6⤵
        
        PID:3476
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        6⤵
        
        PID:4056
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        6⤵
        
        PID:2768
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        6⤵
        
        PID:5092
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        6⤵
        
        PID:4556
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        6⤵
        
        PID:4568
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        6⤵
        
        PID:4800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
        7⤵
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
        8⤵
        
        PID:4760
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        6⤵
        
        PID:1428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\update.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\update.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        7⤵
        
        PID:1308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        7⤵
        
        PID:3212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        7⤵
        
        PID:2944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\
        7⤵
        
        PID:2228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\
        7⤵
        
        PID:4948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\
        7⤵
        
        PID:1064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\
        7⤵
        
        PID:820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\
        8⤵
        
        PID:5080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\
        8⤵
        
        PID:4016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\
        7⤵
        
        PID:2452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\
        7⤵
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\
        8⤵
        
        PID:3848
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
        6⤵
        
        PID:4576
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
        6⤵
        
        PID:2580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\
        7⤵
        
        PID:5108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\
        7⤵
        
        PID:2184
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\
        7⤵
        
        PID:3024
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\
        6⤵
        
        PID:4576
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\
        6⤵
        
        PID:1592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        5⤵
        
        PID:2552
- - C:\Users\Admin\Pictures\Camera Roll\System Restore.exe
    "C:\Users\Admin\Pictures\Camera Roll\System Restore.exe" C:\Users\Admin\Pictures\Camera Roll\
    3⤵
    PID:3504
- C:\Users\Admin\Saved Games\backup.exe
  "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
  2⤵
  PID:824
- C:\Users\Admin\Searches\backup.exe
  C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
  2⤵
  PID:448
- C:\Users\Admin\Videos\update.exe
  C:\Users\Admin\Videos\update.exe C:\Users\Admin\Videos\
  2⤵
  PID:2280

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
1⤵
PID:1368
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
  2⤵
  PID:4056

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
1⤵
- Drops file in Program Files directory
PID:5092
- C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\update.exe
  "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\update.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5020

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
1⤵
PID:5012
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
  2⤵
  PID:532
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
    3⤵
    PID:4200
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
    3⤵
    PID:4468
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\System Restore.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
  2⤵
  PID:2088
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
    3⤵
    PID:2184
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
    3⤵
    PID:4160
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
    3⤵
    PID:4648
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4300
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
    3⤵
    PID:1496
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
    3⤵
    PID:1920
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
    3⤵
    PID:816

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
1⤵
PID:2016

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
1⤵
PID:2064
- C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
  2⤵
  PID:4468
- C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
  2⤵
  PID:1624
- C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
  2⤵
  PID:2044
- C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
  2⤵
  PID:316
- C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
  2⤵
  PID:2772
- C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
  2⤵
  PID:4576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
1⤵
PID:3444
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
  2⤵
  PID:4536
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
  2⤵
  PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
1⤵
PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
  2⤵
  PID:2896

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
1⤵
PID:3488

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
1⤵
PID:4552

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\update.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
1⤵
PID:5000

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
1⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
1⤵
PID:2644

C:\Program Files (x86)\Common Files\System\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
1⤵
PID:3660

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
1⤵
PID:2204

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\
1⤵
PID:2820
- C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\
  2⤵
  PID:2932
- - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\backup.exe
    "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\
    3⤵
    PID:4696
  - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\backup.exe
      "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\
      4⤵
      PID:3460
    - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\
        5⤵
        
        PID:1144
      - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:1332
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\
        7⤵
        
        PID:2772
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C36845CD-C743-4DE7-86B2-AF3D989D9CC0\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\
        8⤵
        
        PID:1592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\
        9⤵
        
        PID:4620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\
        10⤵
        
        PID:3348

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
1⤵
PID:5088
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
  2⤵
  PID:1504
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
  2⤵
  PID:4436

C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
"C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
1⤵
PID:3156

C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe
"C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\
1⤵
PID:4232
- C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe
  "C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\
  2⤵
  PID:1332

C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
1⤵
PID:972

C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe
C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
447KB

MD5
71dd1cc1572911ae2c97c72446e11bee

SHA1
96097676ceca3af17678b588d5b85514679d3587

SHA256
983b7b5944e9b520a39af30fe679a6ebf94e70b7e050124b66ce38ddfd3702e8

SHA512
2166776b710287fb40ab4eb1cf7bbe9ddeca5c260f3f64a7c5cc3c1c3c55001b9263423b9c1831817116fbca1250a89fd853e899e6bf151e922c1f57ec5127f4

Download Submit
C:\PerfLogs\backup.exe

Filesize
447KB

MD5
71dd1cc1572911ae2c97c72446e11bee

SHA1
96097676ceca3af17678b588d5b85514679d3587

SHA256
983b7b5944e9b520a39af30fe679a6ebf94e70b7e050124b66ce38ddfd3702e8

SHA512
2166776b710287fb40ab4eb1cf7bbe9ddeca5c260f3f64a7c5cc3c1c3c55001b9263423b9c1831817116fbca1250a89fd853e899e6bf151e922c1f57ec5127f4

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
a55e53c45e049f97a288b161ae773c52

SHA1
c6c6e831873822c2ed448cfe0a530af6ebc80bea

SHA256
1a1f4923918137ba5104f0952d9bf075be30b272ad4c9666775f1e1d73e068a3

SHA512
12f4adf429adef436d0f5542f7b70ebc7ea08cc29a6020c8270d1678068c5341c273fdad5835a2de7124f3573bac6706d14dd03833c014cb76a30227b67b71ba

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
a55e53c45e049f97a288b161ae773c52

SHA1
c6c6e831873822c2ed448cfe0a530af6ebc80bea

SHA256
1a1f4923918137ba5104f0952d9bf075be30b272ad4c9666775f1e1d73e068a3

SHA512
12f4adf429adef436d0f5542f7b70ebc7ea08cc29a6020c8270d1678068c5341c273fdad5835a2de7124f3573bac6706d14dd03833c014cb76a30227b67b71ba

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
b00c49297a2cf97de41c669a2b89457c

SHA1
213a3250c0ddc3d0631b21d36fdc01991773f8ab

SHA256
51b1dc7a68d8802d742ea617e53fc24dd808cb9dafdab395863ddd5c47172f63

SHA512
881a7adaa70d7cfa65ac59219fb156fc7664061f110c842571a1405f47550d50a3707e7ce1ecae225735e3041ddf0733ddf2324053fa19a16057138c2e55a05d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
b00c49297a2cf97de41c669a2b89457c

SHA1
213a3250c0ddc3d0631b21d36fdc01991773f8ab

SHA256
51b1dc7a68d8802d742ea617e53fc24dd808cb9dafdab395863ddd5c47172f63

SHA512
881a7adaa70d7cfa65ac59219fb156fc7664061f110c842571a1405f47550d50a3707e7ce1ecae225735e3041ddf0733ddf2324053fa19a16057138c2e55a05d

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
447KB

MD5
af068791dc61f0dea325e889dbc1e772

SHA1
8782d7ff2391d5988674d19aa0dc8c36213b3a16

SHA256
cce1f3f07948f135d54a90d3caa06da1d664b32b7e2613bfc51a4986cf26ddea

SHA512
686bfb17c4ca5b6ddee8f0c80d949a77a68dbb61c3bde9ca8e97c74ec20a6987e9538170ed9ab6bb3071fbfb0488ac9d4e3468f3e9ffb53138e34cf1da3e9ec2

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
447KB

MD5
af068791dc61f0dea325e889dbc1e772

SHA1
8782d7ff2391d5988674d19aa0dc8c36213b3a16

SHA256
cce1f3f07948f135d54a90d3caa06da1d664b32b7e2613bfc51a4986cf26ddea

SHA512
686bfb17c4ca5b6ddee8f0c80d949a77a68dbb61c3bde9ca8e97c74ec20a6987e9538170ed9ab6bb3071fbfb0488ac9d4e3468f3e9ffb53138e34cf1da3e9ec2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
b00c49297a2cf97de41c669a2b89457c

SHA1
213a3250c0ddc3d0631b21d36fdc01991773f8ab

SHA256
51b1dc7a68d8802d742ea617e53fc24dd808cb9dafdab395863ddd5c47172f63

SHA512
881a7adaa70d7cfa65ac59219fb156fc7664061f110c842571a1405f47550d50a3707e7ce1ecae225735e3041ddf0733ddf2324053fa19a16057138c2e55a05d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
b00c49297a2cf97de41c669a2b89457c

SHA1
213a3250c0ddc3d0631b21d36fdc01991773f8ab

SHA256
51b1dc7a68d8802d742ea617e53fc24dd808cb9dafdab395863ddd5c47172f63

SHA512
881a7adaa70d7cfa65ac59219fb156fc7664061f110c842571a1405f47550d50a3707e7ce1ecae225735e3041ddf0733ddf2324053fa19a16057138c2e55a05d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
447KB

MD5
d7acafad99508c12e68688e2db62f1de

SHA1
48f47d34d4ab9f50cc844410cf371c7f208ec0ba

SHA256
e8f71912b3c858fbbcd25ed53ed1ce1f3acfac3dfdc5781c279ea947fdedc703

SHA512
0e56846fe034ca357ace2b40afc776fa29ff47756d48be527de123e19c0b3c28915725ae4924a90268b3e246db1d9dab13397e375a7f777ba61728e78c777e06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
447KB

MD5
d7acafad99508c12e68688e2db62f1de

SHA1
48f47d34d4ab9f50cc844410cf371c7f208ec0ba

SHA256
e8f71912b3c858fbbcd25ed53ed1ce1f3acfac3dfdc5781c279ea947fdedc703

SHA512
0e56846fe034ca357ace2b40afc776fa29ff47756d48be527de123e19c0b3c28915725ae4924a90268b3e246db1d9dab13397e375a7f777ba61728e78c777e06

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
447KB

MD5
af068791dc61f0dea325e889dbc1e772

SHA1
8782d7ff2391d5988674d19aa0dc8c36213b3a16

SHA256
cce1f3f07948f135d54a90d3caa06da1d664b32b7e2613bfc51a4986cf26ddea

SHA512
686bfb17c4ca5b6ddee8f0c80d949a77a68dbb61c3bde9ca8e97c74ec20a6987e9538170ed9ab6bb3071fbfb0488ac9d4e3468f3e9ffb53138e34cf1da3e9ec2

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
447KB

MD5
af068791dc61f0dea325e889dbc1e772

SHA1
8782d7ff2391d5988674d19aa0dc8c36213b3a16

SHA256
cce1f3f07948f135d54a90d3caa06da1d664b32b7e2613bfc51a4986cf26ddea

SHA512
686bfb17c4ca5b6ddee8f0c80d949a77a68dbb61c3bde9ca8e97c74ec20a6987e9538170ed9ab6bb3071fbfb0488ac9d4e3468f3e9ffb53138e34cf1da3e9ec2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
447KB

MD5
f9b6c58c871d2590601d6f4bd5b4d37d

SHA1
35a9233ed063148ce1700579ea43a4289c4efe93

SHA256
679e150a8b4ac89f9047d16ec71fc30995692247e5c551e4b0975d7178a0a899

SHA512
7c0e9758a1f90cbadb925f30b02ef00274c469c826237e7a4db3ce910d9af3c22050cb9d231cbc5ecdba26c5e8add7a9a5e312b718eac168c7a9ec02c6e4e7b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
447KB

MD5
f9b6c58c871d2590601d6f4bd5b4d37d

SHA1
35a9233ed063148ce1700579ea43a4289c4efe93

SHA256
679e150a8b4ac89f9047d16ec71fc30995692247e5c551e4b0975d7178a0a899

SHA512
7c0e9758a1f90cbadb925f30b02ef00274c469c826237e7a4db3ce910d9af3c22050cb9d231cbc5ecdba26c5e8add7a9a5e312b718eac168c7a9ec02c6e4e7b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
447KB

MD5
385a1ac5c123d60bef0e41950672f378

SHA1
661a4370ce435b20f6e415cecb782ee6433b8723

SHA256
de6565522d9830da7cc7c98a0acd7550391f89576ce545a06ab7afaba2045e84

SHA512
58ee49f68018a76d3c84b0140ca8b59d5e20b64aaa8a3ede894ef9379df9d775238b5c3aabaac89d54197b2b30dc53b842e92ffe27288dc2e6b9a9a30e914c16

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
447KB

MD5
385a1ac5c123d60bef0e41950672f378

SHA1
661a4370ce435b20f6e415cecb782ee6433b8723

SHA256
de6565522d9830da7cc7c98a0acd7550391f89576ce545a06ab7afaba2045e84

SHA512
58ee49f68018a76d3c84b0140ca8b59d5e20b64aaa8a3ede894ef9379df9d775238b5c3aabaac89d54197b2b30dc53b842e92ffe27288dc2e6b9a9a30e914c16

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
447KB

MD5
f9b6c58c871d2590601d6f4bd5b4d37d

SHA1
35a9233ed063148ce1700579ea43a4289c4efe93

SHA256
679e150a8b4ac89f9047d16ec71fc30995692247e5c551e4b0975d7178a0a899

SHA512
7c0e9758a1f90cbadb925f30b02ef00274c469c826237e7a4db3ce910d9af3c22050cb9d231cbc5ecdba26c5e8add7a9a5e312b718eac168c7a9ec02c6e4e7b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
447KB

MD5
f9b6c58c871d2590601d6f4bd5b4d37d

SHA1
35a9233ed063148ce1700579ea43a4289c4efe93

SHA256
679e150a8b4ac89f9047d16ec71fc30995692247e5c551e4b0975d7178a0a899

SHA512
7c0e9758a1f90cbadb925f30b02ef00274c469c826237e7a4db3ce910d9af3c22050cb9d231cbc5ecdba26c5e8add7a9a5e312b718eac168c7a9ec02c6e4e7b2

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
3cf1f55ca17a334d094f1430e8d7cdae

SHA1
8e5d54d10786170bc1e20dfec80687dec6b2b223

SHA256
09ed78de888ea79b775ce9f43f1a22498427654c4e038e2be0a5d071b873f3f8

SHA512
ed2138a41d841c6f5a8c35ebb2489a1d9c44ad1dd52a88e406eb557fe5e570c554d6a9c4f4e6520ac3c4c3c2ed8d5796e0ceaaebd122c063275afae20fabb812

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
3cf1f55ca17a334d094f1430e8d7cdae

SHA1
8e5d54d10786170bc1e20dfec80687dec6b2b223

SHA256
09ed78de888ea79b775ce9f43f1a22498427654c4e038e2be0a5d071b873f3f8

SHA512
ed2138a41d841c6f5a8c35ebb2489a1d9c44ad1dd52a88e406eb557fe5e570c554d6a9c4f4e6520ac3c4c3c2ed8d5796e0ceaaebd122c063275afae20fabb812

Download Submit
C:\System Restore.exe

Filesize
447KB

MD5
969cc80e8aebb9645328c87d3c495bc7

SHA1
08c90cfd60b7cfe80f71aacf5ff5d435c5813de2

SHA256
3a97da96fde8edff7af80685fd830b4bc93145ff646709e118692285062715f6

SHA512
d9e4eeeabc949221033d606f82ce703963495ca1177bfc888748912439252470e53e9612f0bbb2c1cd7733cf29e1f490867b9655c7b33bf6e55d79e87f474a80

Download Submit
C:\System Restore.exe

Filesize
447KB

MD5
969cc80e8aebb9645328c87d3c495bc7

SHA1
08c90cfd60b7cfe80f71aacf5ff5d435c5813de2

SHA256
3a97da96fde8edff7af80685fd830b4bc93145ff646709e118692285062715f6

SHA512
d9e4eeeabc949221033d606f82ce703963495ca1177bfc888748912439252470e53e9612f0bbb2c1cd7733cf29e1f490867b9655c7b33bf6e55d79e87f474a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\2445145824\backup.exe

Filesize
447KB

MD5
89b9ccd6e6ee7db880dfa243f937bd1c

SHA1
0413e50c79df05bfba66c824a65ad503dd6a6e25

SHA256
cf8bcf668a272fe72390647393a2835e11297a3c063c37901698141c157f50ec

SHA512
a0e2590ba12c3d1a84261f603495746932e85447fd04f4a6864fda5b8e212f0e59160eacf9c7a7acadf13a831092b954fa396327634c040bd07d56e66d08d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2445145824\backup.exe

Filesize
447KB

MD5
89b9ccd6e6ee7db880dfa243f937bd1c

SHA1
0413e50c79df05bfba66c824a65ad503dd6a6e25

SHA256
cf8bcf668a272fe72390647393a2835e11297a3c063c37901698141c157f50ec

SHA512
a0e2590ba12c3d1a84261f603495746932e85447fd04f4a6864fda5b8e212f0e59160eacf9c7a7acadf13a831092b954fa396327634c040bd07d56e66d08d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2445145824\backup.exe

Filesize
447KB

MD5
89b9ccd6e6ee7db880dfa243f937bd1c

SHA1
0413e50c79df05bfba66c824a65ad503dd6a6e25

SHA256
cf8bcf668a272fe72390647393a2835e11297a3c063c37901698141c157f50ec

SHA512
a0e2590ba12c3d1a84261f603495746932e85447fd04f4a6864fda5b8e212f0e59160eacf9c7a7acadf13a831092b954fa396327634c040bd07d56e66d08d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
1e3de49541aacde45d2e4a98d1a9b500

SHA1
d7e48cea33cc99f2e851eea7540eb9ca15aeee3c

SHA256
651cb2140695d0d495c9d55686839c6f66a30e4663e48e6554ae73a4fe4174de

SHA512
e3ff19f5a27cc6fe5c083073e16c5f4b221bc8dbd17637049fd43b7cfc1f4797a77dcfa3ca031554fd4bc3e8c9476a3f76456927293362056570c8f6ccd541d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
1e3de49541aacde45d2e4a98d1a9b500

SHA1
d7e48cea33cc99f2e851eea7540eb9ca15aeee3c

SHA256
651cb2140695d0d495c9d55686839c6f66a30e4663e48e6554ae73a4fe4174de

SHA512
e3ff19f5a27cc6fe5c083073e16c5f4b221bc8dbd17637049fd43b7cfc1f4797a77dcfa3ca031554fd4bc3e8c9476a3f76456927293362056570c8f6ccd541d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
447KB

MD5
9d178c1b2faaae554c3adf4fc913baf8

SHA1
3d152afef609c62e933f6ef83208230ed7e9787b

SHA256
c97d05571b2cfb07a258de7d23edba9d36ae797454aa4053d80fe8704f340411

SHA512
96b9ac53ca9c112a05954af6392f6e30ea73d38f9b42169b681809082da33564291ce3a193a7a9ce05304ea10a5acc74e423dea54358a422094dc580b317111d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
447KB

MD5
9d178c1b2faaae554c3adf4fc913baf8

SHA1
3d152afef609c62e933f6ef83208230ed7e9787b

SHA256
c97d05571b2cfb07a258de7d23edba9d36ae797454aa4053d80fe8704f340411

SHA512
96b9ac53ca9c112a05954af6392f6e30ea73d38f9b42169b681809082da33564291ce3a193a7a9ce05304ea10a5acc74e423dea54358a422094dc580b317111d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
447KB

MD5
c3ab80f0a91e3c07d1c789dde93f2773

SHA1
8632d3152766277007f1e8081793a227bb42c1e7

SHA256
e21047ad048fd09eb903368fde4ad83a2648818aa06cb4308c43c3b4fb5651fe

SHA512
53853a17cfc6690c5cd1825c05f8c903809aef4197e55c27faa2dd2b2b622012006554f86a147eb74037272476c2485541907acff03fcacb444f9a69cd3697a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
447KB

MD5
c3ab80f0a91e3c07d1c789dde93f2773

SHA1
8632d3152766277007f1e8081793a227bb42c1e7

SHA256
e21047ad048fd09eb903368fde4ad83a2648818aa06cb4308c43c3b4fb5651fe

SHA512
53853a17cfc6690c5cd1825c05f8c903809aef4197e55c27faa2dd2b2b622012006554f86a147eb74037272476c2485541907acff03fcacb444f9a69cd3697a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
447KB

MD5
1e3de49541aacde45d2e4a98d1a9b500

SHA1
d7e48cea33cc99f2e851eea7540eb9ca15aeee3c

SHA256
651cb2140695d0d495c9d55686839c6f66a30e4663e48e6554ae73a4fe4174de

SHA512
e3ff19f5a27cc6fe5c083073e16c5f4b221bc8dbd17637049fd43b7cfc1f4797a77dcfa3ca031554fd4bc3e8c9476a3f76456927293362056570c8f6ccd541d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
447KB

MD5
1e3de49541aacde45d2e4a98d1a9b500

SHA1
d7e48cea33cc99f2e851eea7540eb9ca15aeee3c

SHA256
651cb2140695d0d495c9d55686839c6f66a30e4663e48e6554ae73a4fe4174de

SHA512
e3ff19f5a27cc6fe5c083073e16c5f4b221bc8dbd17637049fd43b7cfc1f4797a77dcfa3ca031554fd4bc3e8c9476a3f76456927293362056570c8f6ccd541d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
2eff91fc1e2867a99e3b07dce6df5dac

SHA1
84511a2ee636df937e7069abbb3d440244121d8a

SHA256
367d015bd39aadd2d555b01f0849a2279066299d0bfc93253194ba3663ab0523

SHA512
9557d4a7c36d0786ff93ba9aa2c4341dfc7a6d3c2ff72cbd4fb03e74fc73a491c66eb003908b5bddb114bcbd77ed46f68e0b1080412e0cc304de56768dab125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
447KB

MD5
1e3de49541aacde45d2e4a98d1a9b500

SHA1
d7e48cea33cc99f2e851eea7540eb9ca15aeee3c

SHA256
651cb2140695d0d495c9d55686839c6f66a30e4663e48e6554ae73a4fe4174de

SHA512
e3ff19f5a27cc6fe5c083073e16c5f4b221bc8dbd17637049fd43b7cfc1f4797a77dcfa3ca031554fd4bc3e8c9476a3f76456927293362056570c8f6ccd541d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\data.exe

Filesize
447KB

MD5
1e3de49541aacde45d2e4a98d1a9b500

SHA1
d7e48cea33cc99f2e851eea7540eb9ca15aeee3c

SHA256
651cb2140695d0d495c9d55686839c6f66a30e4663e48e6554ae73a4fe4174de

SHA512
e3ff19f5a27cc6fe5c083073e16c5f4b221bc8dbd17637049fd43b7cfc1f4797a77dcfa3ca031554fd4bc3e8c9476a3f76456927293362056570c8f6ccd541d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe

Filesize
447KB

MD5
e13c74997b936b1ee878233dd0cfd2eb

SHA1
6ade3806a2c95a864bfb2f5a4e1ca77c27e49550

SHA256
450bcec9abb06b81383f39fbca422f9527a4ddec25df252508d167b9171ce5b4

SHA512
c568b51c15f2e1ca448655f3d568b4fd4d81d3742aa327a3b0ca8819e455f8661be3fdee210737a167087b49669efdbdd6bbd7a6665f2692f58c8a730817710e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\backup.exe

Filesize
447KB

MD5
e13c74997b936b1ee878233dd0cfd2eb

SHA1
6ade3806a2c95a864bfb2f5a4e1ca77c27e49550

SHA256
450bcec9abb06b81383f39fbca422f9527a4ddec25df252508d167b9171ce5b4

SHA512
c568b51c15f2e1ca448655f3d568b4fd4d81d3742aa327a3b0ca8819e455f8661be3fdee210737a167087b49669efdbdd6bbd7a6665f2692f58c8a730817710e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe

Filesize
447KB

MD5
e65522e45417a185ae86904f756675cd

SHA1
094cc48b514e4c3d661c0ff50d9a4f3781085278

SHA256
518fc80b56810625cbd7c7051c3bf2d31f931666c93f43190fc7668731f3b2a1

SHA512
59d9450fa6e3c17abda99a4aa3ecd654665d64e266653e1473b942aa862b0e2115e8f1ad47f50df7c0306566af1c151bee60cc30f19d37985b4630f73574a0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\be\backup.exe

Filesize
447KB

MD5
e65522e45417a185ae86904f756675cd

SHA1
094cc48b514e4c3d661c0ff50d9a4f3781085278

SHA256
518fc80b56810625cbd7c7051c3bf2d31f931666c93f43190fc7668731f3b2a1

SHA512
59d9450fa6e3c17abda99a4aa3ecd654665d64e266653e1473b942aa862b0e2115e8f1ad47f50df7c0306566af1c151bee60cc30f19d37985b4630f73574a0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe

Filesize
447KB

MD5
e65522e45417a185ae86904f756675cd

SHA1
094cc48b514e4c3d661c0ff50d9a4f3781085278

SHA256
518fc80b56810625cbd7c7051c3bf2d31f931666c93f43190fc7668731f3b2a1

SHA512
59d9450fa6e3c17abda99a4aa3ecd654665d64e266653e1473b942aa862b0e2115e8f1ad47f50df7c0306566af1c151bee60cc30f19d37985b4630f73574a0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\bn\backup.exe

Filesize
447KB

MD5
e65522e45417a185ae86904f756675cd

SHA1
094cc48b514e4c3d661c0ff50d9a4f3781085278

SHA256
518fc80b56810625cbd7c7051c3bf2d31f931666c93f43190fc7668731f3b2a1

SHA512
59d9450fa6e3c17abda99a4aa3ecd654665d64e266653e1473b942aa862b0e2115e8f1ad47f50df7c0306566af1c151bee60cc30f19d37985b4630f73574a0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe

Filesize
447KB

MD5
38de297a682485172b8edd1c63f9c9b4

SHA1
90c236dbff7b5256435b76d86ea5ad5856bcf6be

SHA256
5487eb76d44d1a914b3422805d27e8bcaf24dad12f7a1f42fe08f296af40752e

SHA512
c72ceac0456473dd7bc0a5bf657bb387ba146928dc5e1625eb8cddd6956b751c763f3643d99222c060ab21a50459ca619328dc0449a286c6dbb7ef9b99202d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\ca\backup.exe

Filesize
447KB

MD5
38de297a682485172b8edd1c63f9c9b4

SHA1
90c236dbff7b5256435b76d86ea5ad5856bcf6be

SHA256
5487eb76d44d1a914b3422805d27e8bcaf24dad12f7a1f42fe08f296af40752e

SHA512
c72ceac0456473dd7bc0a5bf657bb387ba146928dc5e1625eb8cddd6956b751c763f3643d99222c060ab21a50459ca619328dc0449a286c6dbb7ef9b99202d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe

Filesize
447KB

MD5
38de297a682485172b8edd1c63f9c9b4

SHA1
90c236dbff7b5256435b76d86ea5ad5856bcf6be

SHA256
5487eb76d44d1a914b3422805d27e8bcaf24dad12f7a1f42fe08f296af40752e

SHA512
c72ceac0456473dd7bc0a5bf657bb387ba146928dc5e1625eb8cddd6956b751c763f3643d99222c060ab21a50459ca619328dc0449a286c6dbb7ef9b99202d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\cy\backup.exe

Filesize
447KB

MD5
38de297a682485172b8edd1c63f9c9b4

SHA1
90c236dbff7b5256435b76d86ea5ad5856bcf6be

SHA256
5487eb76d44d1a914b3422805d27e8bcaf24dad12f7a1f42fe08f296af40752e

SHA512
c72ceac0456473dd7bc0a5bf657bb387ba146928dc5e1625eb8cddd6956b751c763f3643d99222c060ab21a50459ca619328dc0449a286c6dbb7ef9b99202d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe

Filesize
447KB

MD5
38de297a682485172b8edd1c63f9c9b4

SHA1
90c236dbff7b5256435b76d86ea5ad5856bcf6be

SHA256
5487eb76d44d1a914b3422805d27e8bcaf24dad12f7a1f42fe08f296af40752e

SHA512
c72ceac0456473dd7bc0a5bf657bb387ba146928dc5e1625eb8cddd6956b751c763f3643d99222c060ab21a50459ca619328dc0449a286c6dbb7ef9b99202d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\_locales\da\backup.exe

Filesize
447KB

MD5
38de297a682485172b8edd1c63f9c9b4

SHA1
90c236dbff7b5256435b76d86ea5ad5856bcf6be

SHA256
5487eb76d44d1a914b3422805d27e8bcaf24dad12f7a1f42fe08f296af40752e

SHA512
c72ceac0456473dd7bc0a5bf657bb387ba146928dc5e1625eb8cddd6956b751c763f3643d99222c060ab21a50459ca619328dc0449a286c6dbb7ef9b99202d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe

Filesize
447KB

MD5
f43347d8fafcc8d23d60e1b3faa73068

SHA1
9ab7e6c9c1f49904facdec50ee8372299af5d2d2

SHA256
c21a53874d306ed38313101fe32b1c787e9bb2354689cbb0c799c5d85cfec941

SHA512
01e7fcbec861a1323c163fdf43d4b8fd4a4734ef1dd435063f08dbeebfdfcf8f7382f9aa4f215b502d6504c44c67169656b5935d1e0b0cdc3cb20f3cb5e0985f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\CRX_INSTALL\backup.exe

Filesize
447KB

MD5
f43347d8fafcc8d23d60e1b3faa73068

SHA1
9ab7e6c9c1f49904facdec50ee8372299af5d2d2

SHA256
c21a53874d306ed38313101fe32b1c787e9bb2354689cbb0c799c5d85cfec941

SHA512
01e7fcbec861a1323c163fdf43d4b8fd4a4734ef1dd435063f08dbeebfdfcf8f7382f9aa4f215b502d6504c44c67169656b5935d1e0b0cdc3cb20f3cb5e0985f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe

Filesize
447KB

MD5
390f7fa32b9c7721999e7ce39afd4d84

SHA1
9136d562b1608defe29d255aac7a8e5aae0fe820

SHA256
36e922184ce86db69586222cfb91069e264e5233405167da83af62f9fd916434

SHA512
b1a8ccaa61ba4373a8a6c3b10219435745dc6645d49dfe3a6b2cb3753be4cd617fd9e895dcf84482edf80a1f26417ec387c791321c4490ae8fd0feb8a7a496d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4004_2081144364\backup.exe

Filesize
447KB

MD5
390f7fa32b9c7721999e7ce39afd4d84

SHA1
9136d562b1608defe29d255aac7a8e5aae0fe820

SHA256
36e922184ce86db69586222cfb91069e264e5233405167da83af62f9fd916434

SHA512
b1a8ccaa61ba4373a8a6c3b10219435745dc6645d49dfe3a6b2cb3753be4cd617fd9e895dcf84482edf80a1f26417ec387c791321c4490ae8fd0feb8a7a496d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
32KB

MD5
32bcf16e49996e0c2d37646dac377316

SHA1
8e454257e8566e69d25e21cd6ab6162e32048990

SHA256
c5da51796ad399cf7e74802d6cf016f2fe9b3f511490db9812d9d2189fbbea59

SHA512
96b952bd20ff08e9faec30f39a1134d4434ed8132bbd088a249dbab96980f099104e6aa6ceeac4127a1de201dba21fc71823f0c4f5a2b0690f7c695ec210e42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0F4E9933-CE5B-4E95-9D37-28E031478774}\backup.exe

Filesize
447KB

MD5
89b9ccd6e6ee7db880dfa243f937bd1c

SHA1
0413e50c79df05bfba66c824a65ad503dd6a6e25

SHA256
cf8bcf668a272fe72390647393a2835e11297a3c063c37901698141c157f50ec

SHA512
a0e2590ba12c3d1a84261f603495746932e85447fd04f4a6864fda5b8e212f0e59160eacf9c7a7acadf13a831092b954fa396327634c040bd07d56e66d08d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0F4E9933-CE5B-4E95-9D37-28E031478774}\backup.exe

Filesize
447KB

MD5
89b9ccd6e6ee7db880dfa243f937bd1c

SHA1
0413e50c79df05bfba66c824a65ad503dd6a6e25

SHA256
cf8bcf668a272fe72390647393a2835e11297a3c063c37901698141c157f50ec

SHA512
a0e2590ba12c3d1a84261f603495746932e85447fd04f4a6864fda5b8e212f0e59160eacf9c7a7acadf13a831092b954fa396327634c040bd07d56e66d08d3a3

Download Submit
C:\odt\backup.exe

Filesize
447KB

MD5
71dd1cc1572911ae2c97c72446e11bee

SHA1
96097676ceca3af17678b588d5b85514679d3587

SHA256
983b7b5944e9b520a39af30fe679a6ebf94e70b7e050124b66ce38ddfd3702e8

SHA512
2166776b710287fb40ab4eb1cf7bbe9ddeca5c260f3f64a7c5cc3c1c3c55001b9263423b9c1831817116fbca1250a89fd853e899e6bf151e922c1f57ec5127f4

Download Submit
C:\odt\backup.exe

Filesize
447KB

MD5
71dd1cc1572911ae2c97c72446e11bee

SHA1
96097676ceca3af17678b588d5b85514679d3587

SHA256
983b7b5944e9b520a39af30fe679a6ebf94e70b7e050124b66ce38ddfd3702e8

SHA512
2166776b710287fb40ab4eb1cf7bbe9ddeca5c260f3f64a7c5cc3c1c3c55001b9263423b9c1831817116fbca1250a89fd853e899e6bf151e922c1f57ec5127f4

Download Submit
memory/600-217-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/756-323-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/852-190-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/924-90-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/924-328-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/924-21-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1048-284-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1120-51-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1156-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1300-335-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-159-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1836-243-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1896-332-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1908-254-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1936-281-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1992-114-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2000-361-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2016-130-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2120-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2224-273-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2240-233-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2260-200-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2300-163-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2332-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2384-188-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2568-375-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2744-303-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2924-119-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3088-19-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3116-175-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3692-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3708-342-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3748-113-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3840-264-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3872-222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3996-169-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3996-105-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4004-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4028-294-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4088-215-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4144-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4144-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4248-324-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4268-350-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4276-345-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4284-232-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4300-251-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4364-314-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4444-241-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4472-231-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4480-79-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4496-249-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4508-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4532-189-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4616-369-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4752-313-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4816-263-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4880-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4936-304-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4972-77-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5004-293-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5012-359-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5020-203-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5092-207-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads