ff3299bfa4a48663ce6aa29d2770e7255c49f196d3bb944e00c4f625c0c95c79

Analysis

max time kernel
153s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f3c052df138dfd5b618c62f85091f640.exe
Size

378KB
MD5

f3c052df138dfd5b618c62f85091f640
SHA1

993f55cdc9b181254b4d11db218c28cbf60e8314
SHA256

ff3299bfa4a48663ce6aa29d2770e7255c49f196d3bb944e00c4f625c0c95c79
SHA512

974856d168e7a90f60c8681b2962f8956cd46e7b1753cafda83910af680f84b6815affe3b5b69a24a9b65a87ce92d62444bd92865b213d2038e509711bc4678f
SSDEEP

384:XqnuO1JCHYdHz4XpfHEI6/dDEPjaVC6fMbUyFm0tyXLBI89wvuAv1mwnA3Z3BXRN:Xqnum1F6/789ujYTyLylze70wi3BEmF

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2320	data.exe
2008	backup.exe
1996	backup.exe
1436	backup.exe
716	backup.exe
4460	backup.exe
1960	backup.exe
4948	backup.exe
1136	backup.exe
3920	backup.exe
2140	backup.exe
4476	backup.exe
3236	data.exe
4080	backup.exe
4472	backup.exe
4548	backup.exe
932	backup.exe
3312	backup.exe
1216	backup.exe
3988	backup.exe
4380	backup.exe
3904	backup.exe
1052	backup.exe
5044	backup.exe
4404	data.exe
4464	backup.exe
1492	backup.exe
1440	backup.exe
2848	backup.exe
3168	backup.exe
3476	backup.exe
1004	backup.exe
4348	backup.exe
2412	backup.exe
3972	backup.exe
1660	backup.exe
3920	System Restore.exe
64	backup.exe
2096	backup.exe
1816	backup.exe
3364	update.exe
2092	backup.exe
2716	backup.exe
3176	backup.exe
1284	backup.exe
932	update.exe
840	backup.exe
4500	backup.exe
1000	backup.exe
3128	backup.exe
2156	backup.exe
1668	backup.exe
1392	System Restore.exe
748	backup.exe
5028	backup.exe
3520	backup.exe
3684	backup.exe
4404	update.exe
4144	backup.exe
2032	backup.exe
640	backup.exe
4364	backup.exe
2336	backup.exe
2688	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2772-0-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000022e4d-6.dat	upx
behavioral2/files/0x0007000000022e4d-7.dat	upx
behavioral2/files/0x0006000000022e52-11.dat	upx
behavioral2/files/0x0006000000022e52-12.dat	upx
behavioral2/files/0x0006000000022e52-13.dat	upx
behavioral2/files/0x0007000000022e54-18.dat	upx
behavioral2/files/0x0007000000022e54-19.dat	upx
behavioral2/memory/2008-20-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e58-25.dat	upx
behavioral2/files/0x0006000000022e58-26.dat	upx
behavioral2/memory/1436-30-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0008000000022e4e-32.dat	upx
behavioral2/files/0x0008000000022e4e-33.dat	upx
behavioral2/files/0x0006000000022e59-38.dat	upx
behavioral2/files/0x0006000000022e59-39.dat	upx
behavioral2/memory/4460-44-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e5b-47.dat	upx
behavioral2/files/0x0007000000022e5a-48.dat	upx
behavioral2/files/0x0006000000022e5b-49.dat	upx
behavioral2/files/0x0007000000022e5a-50.dat	upx
behavioral2/memory/4948-59-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000022e5c-58.dat	upx
behavioral2/files/0x0006000000022e5e-62.dat	upx
behavioral2/files/0x0006000000022e5e-64.dat	upx
behavioral2/memory/2772-63-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/3920-65-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000022e5c-60.dat	upx
behavioral2/files/0x0007000000022e60-71.dat	upx
behavioral2/files/0x0007000000022e60-73.dat	upx
behavioral2/memory/2320-75-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/3920-74-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000022e61-80.dat	upx
behavioral2/files/0x0007000000022e61-82.dat	upx
behavioral2/memory/1136-81-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0007000000022e62-88.dat	upx
behavioral2/memory/2140-87-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1996-90-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e64-94.dat	upx
behavioral2/files/0x0006000000022e64-93.dat	upx
behavioral2/files/0x0007000000022e62-89.dat	upx
behavioral2/files/0x0006000000022e66-102.dat	upx
behavioral2/memory/716-105-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e68-107.dat	upx
behavioral2/files/0x0006000000022e68-106.dat	upx
behavioral2/files/0x0006000000022e66-104.dat	upx
behavioral2/memory/4548-113-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4080-119-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4476-118-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e6d-115.dat	upx
behavioral2/memory/1960-116-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0006000000022e6d-117.dat	upx
behavioral2/memory/932-124-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4472-125-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0008000000022e67-127.dat	upx
behavioral2/files/0x0008000000022e67-128.dat	upx
behavioral2/files/0x0007000000022e6a-133.dat	upx
behavioral2/files/0x0007000000022e6a-134.dat	upx
behavioral2/memory/716-141-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/1216-140-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/files/0x0008000000022e6b-143.dat	upx
behavioral2/files/0x0008000000022e6b-144.dat	upx
behavioral2/files/0x0006000000022e6f-149.dat	upx
behavioral2/files/0x0006000000022e6f-150.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\backup.exe	data.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\applet\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe	backup.exe
File opened for modification	C:\Program Files\ModifiableWindowsApps\backup.exe	data.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\apppatch\Custom\Custom64\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\shellbrd\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	update.exe
File opened for modification	C:\Windows\apppatch\it-IT\data.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\update.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\update.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe
2320	data.exe
2008	backup.exe
1996	backup.exe
1436	backup.exe
716	backup.exe
4460	backup.exe
4948	backup.exe
1960	backup.exe
3920	backup.exe
1136	backup.exe
2140	backup.exe
4476	backup.exe
3236	data.exe
4080	backup.exe
4472	backup.exe
4548	backup.exe
932	backup.exe
3312	backup.exe
1216	backup.exe
3988	backup.exe
4380	backup.exe
3904	backup.exe
1052	backup.exe
5044	backup.exe
4404	data.exe
4464	backup.exe
1492	backup.exe
1440	backup.exe
2848	backup.exe
3168	backup.exe
3476	backup.exe
1004	backup.exe
4348	backup.exe
2412	backup.exe
3972	backup.exe
1660	backup.exe
3920	System Restore.exe
64	backup.exe
2096	backup.exe
1816	backup.exe
3364	update.exe
2092	backup.exe
2716	backup.exe
3176	backup.exe
1284	backup.exe
932	update.exe
840	backup.exe
4500	backup.exe
1000	backup.exe
3128	backup.exe
2156	backup.exe
1668	backup.exe
1392	System Restore.exe
748	backup.exe
5028	backup.exe
3520	backup.exe
3684	backup.exe
4404	update.exe
4144	backup.exe
2032	backup.exe
640	backup.exe
4364	backup.exe
2336	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2320	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	87
PID 2772 wrote to memory of 2320	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	87
PID 2772 wrote to memory of 2320	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	87
PID 2772 wrote to memory of 2008	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	88
PID 2772 wrote to memory of 2008	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	88
PID 2772 wrote to memory of 2008	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	88
PID 2772 wrote to memory of 1996	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	90
PID 2772 wrote to memory of 1996	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	90
PID 2772 wrote to memory of 1996	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	90
PID 2772 wrote to memory of 1436	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	91
PID 2772 wrote to memory of 1436	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	91
PID 2772 wrote to memory of 1436	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	91
PID 2772 wrote to memory of 716	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	92
PID 2772 wrote to memory of 716	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	92
PID 2772 wrote to memory of 716	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	92
PID 2772 wrote to memory of 4460	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	94
PID 2772 wrote to memory of 4460	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	94
PID 2772 wrote to memory of 4460	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	94
PID 2772 wrote to memory of 4948	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	96
PID 2772 wrote to memory of 4948	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	96
PID 2772 wrote to memory of 4948	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	96
PID 2320 wrote to memory of 1960	2320	data.exe	95
PID 2320 wrote to memory of 1960	2320	data.exe	95
PID 2320 wrote to memory of 1960	2320	data.exe	95
PID 2772 wrote to memory of 1136	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	97
PID 2772 wrote to memory of 1136	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	97
PID 2772 wrote to memory of 1136	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	97
PID 1960 wrote to memory of 3920	1960	backup.exe	98
PID 1960 wrote to memory of 3920	1960	backup.exe	98
PID 1960 wrote to memory of 3920	1960	backup.exe	98
PID 1960 wrote to memory of 2140	1960	backup.exe	99
PID 1960 wrote to memory of 2140	1960	backup.exe	99
PID 1960 wrote to memory of 2140	1960	backup.exe	99
PID 2772 wrote to memory of 4476	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	100
PID 2772 wrote to memory of 4476	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	100
PID 2772 wrote to memory of 4476	2772	NEAS.f3c052df138dfd5b618c62f85091f640.exe	100
PID 1960 wrote to memory of 3236	1960	backup.exe	101
PID 1960 wrote to memory of 3236	1960	backup.exe	101
PID 1960 wrote to memory of 3236	1960	backup.exe	101
PID 4476 wrote to memory of 4080	4476	backup.exe	102
PID 4476 wrote to memory of 4080	4476	backup.exe	102
PID 4476 wrote to memory of 4080	4476	backup.exe	102
PID 3236 wrote to memory of 4472	3236	data.exe	103
PID 3236 wrote to memory of 4472	3236	data.exe	103
PID 3236 wrote to memory of 4472	3236	data.exe	103
PID 4080 wrote to memory of 4548	4080	backup.exe	104
PID 4080 wrote to memory of 4548	4080	backup.exe	104
PID 4080 wrote to memory of 4548	4080	backup.exe	104
PID 4472 wrote to memory of 932	4472	backup.exe	105
PID 4472 wrote to memory of 932	4472	backup.exe	105
PID 4472 wrote to memory of 932	4472	backup.exe	105
PID 3236 wrote to memory of 3312	3236	data.exe	106
PID 3236 wrote to memory of 3312	3236	data.exe	106
PID 3236 wrote to memory of 3312	3236	data.exe	106
PID 3312 wrote to memory of 1216	3312	backup.exe	107
PID 3312 wrote to memory of 1216	3312	backup.exe	107
PID 3312 wrote to memory of 1216	3312	backup.exe	107
PID 3312 wrote to memory of 3988	3312	backup.exe	108
PID 3312 wrote to memory of 3988	3312	backup.exe	108
PID 3312 wrote to memory of 3988	3312	backup.exe	108
PID 3988 wrote to memory of 4380	3988	backup.exe	109
PID 3988 wrote to memory of 4380	3988	backup.exe	109
PID 3988 wrote to memory of 4380	3988	backup.exe	109
PID 3988 wrote to memory of 3904	3988	backup.exe	110

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f3c052df138dfd5b618c62f85091f640.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f3c052df138dfd5b618c62f85091f640.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\{66F838ED-0796-4485-88D6-6506D0F33DCD}\data.exe
  C:\Users\Admin\AppData\Local\Temp\{66F838ED-0796-4485-88D6-6506D0F33DCD}\data.exe C:\Users\Admin\AppData\Local\Temp\{66F838ED-0796-4485-88D6-6506D0F33DCD}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\odt\backup.exe
      C:\odt\backup.exe C:\odt\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3920
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2140
  - - C:\Program Files\data.exe
      "C:\Program Files\data.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:932
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3312
      - C:\Program Files\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1216
      - C:\Program Files\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Program Files\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3904
        
        C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5044
        
        C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\data.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3168
        
        C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3476
        
        C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4348
        
        C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3972
        
        C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3920
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:64
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3364
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2092
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3176
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4500
        
        C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3128
        
        C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:748
        
        C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Program Files\Common Files\microsoft shared\ink\nb-NO\update.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\update.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4144
        
        C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:640
        
        C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\data.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
        8⤵
        
        PID:3288
        
        C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
        8⤵
        
        PID:1136
        
        C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
        8⤵
        
        PID:396
        
        C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
        8⤵
        
        PID:2840
        
        C:\Program Files\Common Files\microsoft shared\ink\uk-UA\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1900
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
        8⤵
        
        PID:5044
        
        C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
        8⤵
        
        PID:2996
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:4196
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:2604
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:4132
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:2180
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:3680
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:4364
        
        C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:4452
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:632
        
        C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
        8⤵
        
        PID:4872
        
        C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\Source Engine\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
        
        C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1720
        
        C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:3312
        
        C:\Program Files\Common Files\microsoft shared\TextConv\data.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\data.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
        7⤵
        System policy modification
        
        PID:3492
        
        C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        System policy modification
        
        PID:3404
        
        C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        8⤵
        
        PID:3128
        
        C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:4728
        
        C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5068
        
        C:\Program Files\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Program Files\Common Files\microsoft shared\VGX\System Restore.exe
        
        "C:\Program Files\Common Files\microsoft shared\VGX\System Restore.exe" C:\Program Files\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:3672
        
        C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
        7⤵
        Drops file in Program Files directory
        
        PID:1668
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
        8⤵
        
        PID:2640
        
        C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
        9⤵
        
        PID:4276
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1184
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2984
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:3256
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:3888
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2848
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1448
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1196
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:4132
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:3512
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:4072
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1944
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:3916
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1952
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2772
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4180
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1736
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:4164
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2100
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:3484
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:3792
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:4144
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2180
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:4452
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        System policy modification
        
        PID:1712
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:3576
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2400
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2336
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:3288
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2664
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3276
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:2140
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        System policy modification
        
        PID:4220
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        System policy modification
        
        PID:4956
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2156
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:3792
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4548
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:492
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        System policy modification
        
        PID:2844
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:1516
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        System policy modification
        
        PID:4144
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:4872
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:4164
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:3136
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2748
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
      - C:\Program Files\Java\jdk-1.8\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
        6⤵
        
        PID:4500
        
        C:\Program Files\Java\jdk-1.8\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3096
        
        C:\Program Files\Java\jdk-1.8\include\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
        7⤵
        
        PID:3892
        
        C:\Program Files\Java\jdk-1.8\include\win32\data.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\data.exe" C:\Program Files\Java\jdk-1.8\include\win32\
        8⤵
        
        PID:3332
        
        C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
        9⤵
        
        PID:3112
        
        C:\Program Files\Java\jdk-1.8\jre\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\backup.exe" C:\Program Files\Java\jdk-1.8\jre\
        7⤵
        
        PID:1184
        
        C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
        8⤵
        System policy modification
        
        PID:748
        
        C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
        9⤵
        
        PID:4940
        
        C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
        9⤵
        
        PID:3276
        
        C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
        9⤵
        System policy modification
        
        PID:3388
        
        C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
        8⤵
        System policy modification
        
        PID:4220
        
        C:\Program Files\Java\jdk-1.8\jre\legal\javafx\System Restore.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
        9⤵
        
        PID:3128
        
        C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4256
        
        C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        9⤵
        
        PID:3284
        
        C:\Program Files\Java\jdk-1.8\jre\lib\applet\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        9⤵
        
        PID:1708
        
        C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        9⤵
        
        PID:4976
        
        C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Program Files\Java\jdk-1.8\jre\lib\ext\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        9⤵
        
        PID:776
        
        C:\Program Files\Java\jdk-1.8\legal\update.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\update.exe" C:\Program Files\Java\jdk-1.8\legal\
        7⤵
        System policy modification
        
        PID:1304
        
        C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4112
        
        C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
        8⤵
        
        PID:4564
        
        C:\Program Files\Java\jdk-1.8\lib\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
        7⤵
        
        PID:3112
      - C:\Program Files\Java\jre-1.8\backup.exe
        
        "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
        6⤵
        Drops file in Program Files directory
        
        PID:396
        
        C:\Program Files\Java\jre-1.8\bin\data.exe
        
        "C:\Program Files\Java\jre-1.8\bin\data.exe" C:\Program Files\Java\jre-1.8\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:2544
        
        C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        8⤵
        
        PID:2092
        
        C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        8⤵
        
        PID:624
        
        C:\Program Files\Java\jre-1.8\bin\server\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\System Restore.exe" C:\Program Files\Java\jre-1.8\bin\server\
        8⤵
        
        PID:4888
        
        C:\Program Files\Java\jre-1.8\legal\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
        7⤵
        
        PID:4788
        
        C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\backup.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        8⤵
        
        PID:4224
        
        C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\backup.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        8⤵
        System policy modification
        
        PID:1500
        
        C:\Program Files\Java\jre-1.8\lib\data.exe
        
        "C:\Program Files\Java\jre-1.8\lib\data.exe" C:\Program Files\Java\jre-1.8\lib\
        7⤵
        System policy modification
        
        PID:2096
        
        C:\Program Files\Java\jre-1.8\lib\amd64\update.exe
        
        "C:\Program Files\Java\jre-1.8\lib\amd64\update.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
        8⤵
        
        PID:1920
        
        C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
        8⤵
        
        PID:3476
    - - C:\Program Files\Microsoft Office\data.exe
        
        "C:\Program Files\Microsoft Office\data.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:628
      - C:\Program Files\Microsoft Office\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
        6⤵
        
        PID:4752
      - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
        6⤵
        
        PID:3892
      - C:\Program Files\Microsoft Office\root\backup.exe
        
        "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
        6⤵
        
        PID:2192
        
        C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        7⤵
        
        PID:4068
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:5056
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        8⤵
        
        PID:640
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        8⤵
        
        PID:980
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        8⤵
        
        PID:3372
        
        C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        7⤵
        
        PID:4640
      - C:\Program Files\Microsoft Office\Updates\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
        6⤵
        Drops file in Program Files directory
        
        PID:4936
        
        C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        7⤵
        
        PID:4892
    - - C:\Program Files\Microsoft Office 15\backup.exe
        
        "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
        5⤵
        Drops file in Program Files directory
        
        PID:2840
      - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
        6⤵
        
        PID:2984
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        System policy modification
        
        PID:2156
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Drops file in Program Files directory
        
        PID:4984
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:4440
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        Drops file in Program Files directory
        
        PID:4044
        
        C:\Program Files\Mozilla Firefox\defaults\pref\update.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\update.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2608
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3480
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:5088
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:2496
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:4932
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:4084
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        
        PID:4896
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        System policy modification
        
        PID:5028
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:4892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Drops file in Program Files directory
        
        PID:232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:3680
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        System policy modification
        
        PID:4092
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        
        PID:2284
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        
        PID:4832
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        System policy modification
        
        PID:772
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
        9⤵
        System policy modification
        
        PID:4000
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:1572
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1304
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4560
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
        9⤵
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:4956
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:2280
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4872
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:4788
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4452
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:3100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:3548
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
        9⤵
        
        PID:3376
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:2996
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1364
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:4880
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3556
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:4500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
        9⤵
        
        PID:4920
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
        10⤵
        
        PID:232
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\data.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
        11⤵
        
        PID:524
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:4608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:3976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:2120
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3500
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:2412
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:4416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:4932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:1136
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1844
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3564
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:4724
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2540
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:3480
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:4560
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
        7⤵
        
        PID:932
        
        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        8⤵
        
        PID:1792
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
        7⤵
        
        PID:716
        
        C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        8⤵
        
        PID:4072
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
        7⤵
        System policy modification
        
        PID:2056
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
        9⤵
        
        PID:1052
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
        10⤵
        System policy modification
        
        PID:5028
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:3672
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3128
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
        11⤵
        
        PID:832
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
        12⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:4184
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
        13⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
        14⤵
        
        PID:3792
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
        14⤵
        System policy modification
        
        PID:3268
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
        14⤵
        
        PID:4168
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
        13⤵
        Drops file in Program Files directory
        
        PID:2468
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
        14⤵
        
        PID:2868
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
        14⤵
        
        PID:728
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
        14⤵
        
        PID:4908
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
        13⤵
        Drops file in Program Files directory
        
        PID:2584
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
        14⤵
        
        PID:1036
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
        14⤵
        
        PID:4476
        
        C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
        14⤵
        
        PID:4748
      - C:\Program Files (x86)\Common Files\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
        6⤵
        
        PID:1376
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
        7⤵
        
        PID:3712
      - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1284
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
        7⤵
        
        PID:1304
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
        7⤵
        
        PID:3136
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:4472
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:1608
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:4948
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        System policy modification
        
        PID:5016
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:4476
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1276
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\data.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:4164
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\update.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
        7⤵
        
        PID:4176
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:2740
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:3388
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:832
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:5008
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2764
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
        7⤵
        System policy modification
        
        PID:2664
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
        7⤵
        System policy modification
        
        PID:2924
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:3976
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        
        PID:1004
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\update.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\update.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        
        PID:1920
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2456
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:2868
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:4320
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:4328
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:4888
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\data.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\data.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:3272
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1548
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:4748
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:3724
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:3576
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:412
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2664
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3728
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:452
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:3484
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\update.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\update.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:3916
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        System policy modification
        
        PID:2120
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:2744
        
        C:\Program Files (x86)\Google\Update\Install\{622B5345-A3DF-4616-B086-BDE38350F13B}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{622B5345-A3DF-4616-B086-BDE38350F13B}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{622B5345-A3DF-4616-B086-BDE38350F13B}\
        8⤵
        
        PID:4884
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2476
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:1692
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        System policy modification
        
        PID:3372
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        System policy modification
        
        PID:1360
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2292
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:4548
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1004
      - C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:4844
      - C:\Program Files (x86)\Internet Explorer\ja-JP\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\update.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1036
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:3484
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Drops file in Program Files directory
        
        PID:1712
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        System policy modification
        
        PID:1528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        Drops file in Program Files directory
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        8⤵
        Drops file in Program Files directory
        
        PID:2704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        9⤵
        
        PID:3932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        9⤵
        System policy modification
        
        PID:3596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
        10⤵
        
        PID:1276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
        10⤵
        
        PID:2436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        9⤵
        
        PID:1924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        8⤵
        
        PID:5044
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\System Restore.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\
        7⤵
        
        PID:60
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:3556
    - - C:\Program Files (x86)\Microsoft.NET\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft.NET\System Restore.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:644
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:1828
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:1960
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:4828
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:3388
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:4876
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2476
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2296
      - C:\Users\Admin\3D Objects\backup.exe
        
        "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
        6⤵
        System policy modification
        
        PID:1376
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        System policy modification
        
        PID:1524
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        System policy modification
        
        PID:4076
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
        7⤵
        
        PID:4224
        
        C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
        
        "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1052
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:64
      - C:\Users\Admin\Links\update.exe
        
        C:\Users\Admin\Links\update.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2604
      - C:\Users\Admin\Music\data.exe
        
        C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
        6⤵
        
        PID:3100
      - C:\Users\Admin\OneDrive\backup.exe
        
        C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
        6⤵
        
        PID:3276
      - C:\Users\Admin\Pictures\System Restore.exe
        
        "C:\Users\Admin\Pictures\System Restore.exe" C:\Users\Admin\Pictures\
        6⤵
        
        PID:2808
        
        C:\Users\Admin\Pictures\Camera Roll\backup.exe
        
        "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
        7⤵
        
        PID:2772
        
        C:\Users\Admin\Pictures\Saved Pictures\backup.exe
        
        "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
        7⤵
        
        PID:2928
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2200
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:3568
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1592
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3492
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:4404
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:4328
      - C:\Users\Public\Pictures\data.exe
        
        C:\Users\Public\Pictures\data.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1592
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:4328
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Windows directory
      PID:4592
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:964
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:4428
      - C:\Windows\appcompat\appraiser\backup.exe
        
        C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
        6⤵
        
        PID:2388
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe
        
        C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
        7⤵
        
        PID:4224
      - C:\Windows\appcompat\encapsulation\update.exe
        
        C:\Windows\appcompat\encapsulation\update.exe C:\Windows\appcompat\encapsulation\
        6⤵
        
        PID:3524
      - C:\Windows\appcompat\Programs\backup.exe
        
        C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
        6⤵
        
        PID:3976
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:880
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:2872
        
        C:\Windows\apppatch\Custom\Custom64\update.exe
        
        C:\Windows\apppatch\Custom\Custom64\update.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        Drops file in Windows directory
        
        PID:2388
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:2868
      - C:\Windows\apppatch\de-DE\update.exe
        
        C:\Windows\apppatch\de-DE\update.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:1644
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:4196
      - C:\Windows\apppatch\es-ES\backup.exe
        
        C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
        6⤵
        
        PID:4428
      - C:\Windows\apppatch\fr-FR\backup.exe
        
        C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
        6⤵
        
        PID:2748
      - C:\Windows\apppatch\it-IT\data.exe
        
        C:\Windows\apppatch\it-IT\data.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:1924
      - C:\Windows\apppatch\ja-JP\backup.exe
        
        C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
        6⤵
        
        PID:3112
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        
        PID:3524
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:748
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:4864
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1172
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2476
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Drops file in Windows directory
        
        PID:4708
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1208
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        
        PID:1996
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:4896
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:1000
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:4500
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:1944
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Drops file in Windows directory
        System policy modification
        
        PID:3816
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        
        PID:2604
      - C:\Windows\Branding\shellbrd\backup.exe
        
        C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
        6⤵
        
        PID:5040
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:2216
- C:\Users\Admin\AppData\Local\Temp\623142841\backup.exe
  C:\Users\Admin\AppData\Local\Temp\623142841\backup.exe C:\Users\Admin\AppData\Local\Temp\623142841\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:716
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1136
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
378KB

MD5
63e72e6426857181c6c45674ac6d1dc3

SHA1
8bc22a867d3b114f46b8eece5bc1d94b439bd720

SHA256
da7cf732b8f4df15d6c66309b80e45b9baa299ea3ac11eaf6583edd696899c77

SHA512
0af3e7a2fa338aea983a114773bff684c2e7ce39d234cab23b7432167a870c13292869244d30d3c6fc60753b9f1e89081b5f5e8aa1ff8af81a139494c8ba7bfb

Download Submit
C:\PerfLogs\backup.exe

Filesize
378KB

MD5
63e72e6426857181c6c45674ac6d1dc3

SHA1
8bc22a867d3b114f46b8eece5bc1d94b439bd720

SHA256
da7cf732b8f4df15d6c66309b80e45b9baa299ea3ac11eaf6583edd696899c77

SHA512
0af3e7a2fa338aea983a114773bff684c2e7ce39d234cab23b7432167a870c13292869244d30d3c6fc60753b9f1e89081b5f5e8aa1ff8af81a139494c8ba7bfb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
378KB

MD5
ac7cf208502dab2a18b3a3c07ad4f8f2

SHA1
a142bf9b65101493b8ebe464a9d04f259d94d565

SHA256
89f9cdd71f96d46cfbb72fdd3132c7d71be056fbbe70d40fbd57e0198cc4bf7e

SHA512
72c95ea2bbf38603302777168144d054e51d10e5bb98166a97a9ff18b9b2f6ec383247450e29840dadae3013ee4424c6f99569c2d963d43addaff23520636fee

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
378KB

MD5
ac7cf208502dab2a18b3a3c07ad4f8f2

SHA1
a142bf9b65101493b8ebe464a9d04f259d94d565

SHA256
89f9cdd71f96d46cfbb72fdd3132c7d71be056fbbe70d40fbd57e0198cc4bf7e

SHA512
72c95ea2bbf38603302777168144d054e51d10e5bb98166a97a9ff18b9b2f6ec383247450e29840dadae3013ee4424c6f99569c2d963d43addaff23520636fee

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
378KB

MD5
7cf13b372979438c3e94e8f6d0a035e9

SHA1
2fde90b655e6b1485d872da2faf7fca5fd15b950

SHA256
5ba3dd83b013119f1ab2985dfeb86f43db7f1b20357a24a2e2521592e0df012c

SHA512
bc65405f0bd07024ea33c738c72c40ee975b37c62a81b3f01fb173a9f0f7849929c168d2a924344609db5c16ba59674583d502bc90aaec92d95210686ca9d829

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
378KB

MD5
7cf13b372979438c3e94e8f6d0a035e9

SHA1
2fde90b655e6b1485d872da2faf7fca5fd15b950

SHA256
5ba3dd83b013119f1ab2985dfeb86f43db7f1b20357a24a2e2521592e0df012c

SHA512
bc65405f0bd07024ea33c738c72c40ee975b37c62a81b3f01fb173a9f0f7849929c168d2a924344609db5c16ba59674583d502bc90aaec92d95210686ca9d829

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
378KB

MD5
c37d6a8a9f538c4cbf5832317455d0e6

SHA1
116869a631004e88d3753130dc8b8b91a8ab5c1e

SHA256
85add831734aa81c95f30fd32b2e75616d471b37484d2bcff881907fe5ba157f

SHA512
818241c3fa0fee0145d77cdd51f53ba81d80f92979e00bcd75a71f9bea715a24e54f4a42210173f03c35ff9d87f009057749890c9552f6e2b35767283c6d8138

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
378KB

MD5
c37d6a8a9f538c4cbf5832317455d0e6

SHA1
116869a631004e88d3753130dc8b8b91a8ab5c1e

SHA256
85add831734aa81c95f30fd32b2e75616d471b37484d2bcff881907fe5ba157f

SHA512
818241c3fa0fee0145d77cdd51f53ba81d80f92979e00bcd75a71f9bea715a24e54f4a42210173f03c35ff9d87f009057749890c9552f6e2b35767283c6d8138

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
378KB

MD5
440d56ca7aa41b904ae0fbef59c5fc39

SHA1
ca7530fa6be811f3522896904421c4c1d1607537

SHA256
7677df3982f824b90dea310be7395e614958afa38e5c8547462be6761822e7d1

SHA512
5f1a30917c5b2d901c004a1554b4e379fc46e564d0894ddfb4affc65b43b3c87a30f08b7e2df301163e224609ad5a0327bd65f84dd041f8b78af67a561383a9a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
378KB

MD5
440d56ca7aa41b904ae0fbef59c5fc39

SHA1
ca7530fa6be811f3522896904421c4c1d1607537

SHA256
7677df3982f824b90dea310be7395e614958afa38e5c8547462be6761822e7d1

SHA512
5f1a30917c5b2d901c004a1554b4e379fc46e564d0894ddfb4affc65b43b3c87a30f08b7e2df301163e224609ad5a0327bd65f84dd041f8b78af67a561383a9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
378KB

MD5
2a6ad8119cfbb094646aaf69fb16db45

SHA1
ab3d702d71f69ccc3f785c611a61a17e451d3b3b

SHA256
30af9db23d323e6194c823802168d31f19bd35c6d42a8a0ec8472839a6151bf6

SHA512
dd0658302e6d98c228b86b9e6f625c0df560fb847538aafd6ce6a84250c8da3a80272c436e18d2ba3d7d993fddcd20817dd4a2fec6ceed30be632889ec860fc7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
378KB

MD5
2a6ad8119cfbb094646aaf69fb16db45

SHA1
ab3d702d71f69ccc3f785c611a61a17e451d3b3b

SHA256
30af9db23d323e6194c823802168d31f19bd35c6d42a8a0ec8472839a6151bf6

SHA512
dd0658302e6d98c228b86b9e6f625c0df560fb847538aafd6ce6a84250c8da3a80272c436e18d2ba3d7d993fddcd20817dd4a2fec6ceed30be632889ec860fc7

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
378KB

MD5
c37d6a8a9f538c4cbf5832317455d0e6

SHA1
116869a631004e88d3753130dc8b8b91a8ab5c1e

SHA256
85add831734aa81c95f30fd32b2e75616d471b37484d2bcff881907fe5ba157f

SHA512
818241c3fa0fee0145d77cdd51f53ba81d80f92979e00bcd75a71f9bea715a24e54f4a42210173f03c35ff9d87f009057749890c9552f6e2b35767283c6d8138

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
378KB

MD5
c37d6a8a9f538c4cbf5832317455d0e6

SHA1
116869a631004e88d3753130dc8b8b91a8ab5c1e

SHA256
85add831734aa81c95f30fd32b2e75616d471b37484d2bcff881907fe5ba157f

SHA512
818241c3fa0fee0145d77cdd51f53ba81d80f92979e00bcd75a71f9bea715a24e54f4a42210173f03c35ff9d87f009057749890c9552f6e2b35767283c6d8138

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
378KB

MD5
fcc0baf74d8f822f65dda04c56811ca6

SHA1
864e45d2855e722400a2f25b69f7169d0d4ccba5

SHA256
80601ac9fef9b800499e4ba1709627902e8d5b5fcc1510c6f93486f601885610

SHA512
dd2e42dd937715f72a4c59e6b61677e1576e41e5ac5a06ddcf447e1eb5fbdda0330516a6b9d02aa3fb8b3b4698ea7cf099e091bc343e61d3ebe4001fcff94c38

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
378KB

MD5
fcc0baf74d8f822f65dda04c56811ca6

SHA1
864e45d2855e722400a2f25b69f7169d0d4ccba5

SHA256
80601ac9fef9b800499e4ba1709627902e8d5b5fcc1510c6f93486f601885610

SHA512
dd2e42dd937715f72a4c59e6b61677e1576e41e5ac5a06ddcf447e1eb5fbdda0330516a6b9d02aa3fb8b3b4698ea7cf099e091bc343e61d3ebe4001fcff94c38

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\data.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\data.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
378KB

MD5
3545dca94d2462a2b80d0cca7496c3a5

SHA1
19a63431b5fbcd4443e584142d86c5805e530e9c

SHA256
c68b82932b4d27b778522089727c38277ff87ad7845967915ce22a40e1e22c2e

SHA512
1ca4ce7941777534deffd7c6ca31f202fc06946a6bb2ed1106a0cd47884e733ceaacf2aa52fec19770bbea1e323be3782cf34d0192a1ff211a2f5e52508bd277

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
378KB

MD5
b929fe9eac31fc9be8737ceecf691314

SHA1
4fa894451849bac30b9c265bad1fd48134f99048

SHA256
7e2fb066b6a2afc869c3f51340d49a057925604a05a87cdb2705123259fbbdfe

SHA512
d6dc56e409ffbacc19e855f49adb48c613c4dfe4a40b6694c1fd96e7858eb244622bd8c89df5477318a929f8f4ba1ed77954aa1e1a6f78df51a0d4ded0d27303

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
378KB

MD5
b929fe9eac31fc9be8737ceecf691314

SHA1
4fa894451849bac30b9c265bad1fd48134f99048

SHA256
7e2fb066b6a2afc869c3f51340d49a057925604a05a87cdb2705123259fbbdfe

SHA512
d6dc56e409ffbacc19e855f49adb48c613c4dfe4a40b6694c1fd96e7858eb244622bd8c89df5477318a929f8f4ba1ed77954aa1e1a6f78df51a0d4ded0d27303

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
378KB

MD5
b929fe9eac31fc9be8737ceecf691314

SHA1
4fa894451849bac30b9c265bad1fd48134f99048

SHA256
7e2fb066b6a2afc869c3f51340d49a057925604a05a87cdb2705123259fbbdfe

SHA512
d6dc56e409ffbacc19e855f49adb48c613c4dfe4a40b6694c1fd96e7858eb244622bd8c89df5477318a929f8f4ba1ed77954aa1e1a6f78df51a0d4ded0d27303

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
378KB

MD5
b929fe9eac31fc9be8737ceecf691314

SHA1
4fa894451849bac30b9c265bad1fd48134f99048

SHA256
7e2fb066b6a2afc869c3f51340d49a057925604a05a87cdb2705123259fbbdfe

SHA512
d6dc56e409ffbacc19e855f49adb48c613c4dfe4a40b6694c1fd96e7858eb244622bd8c89df5477318a929f8f4ba1ed77954aa1e1a6f78df51a0d4ded0d27303

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
378KB

MD5
b929fe9eac31fc9be8737ceecf691314

SHA1
4fa894451849bac30b9c265bad1fd48134f99048

SHA256
7e2fb066b6a2afc869c3f51340d49a057925604a05a87cdb2705123259fbbdfe

SHA512
d6dc56e409ffbacc19e855f49adb48c613c4dfe4a40b6694c1fd96e7858eb244622bd8c89df5477318a929f8f4ba1ed77954aa1e1a6f78df51a0d4ded0d27303

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
378KB

MD5
b929fe9eac31fc9be8737ceecf691314

SHA1
4fa894451849bac30b9c265bad1fd48134f99048

SHA256
7e2fb066b6a2afc869c3f51340d49a057925604a05a87cdb2705123259fbbdfe

SHA512
d6dc56e409ffbacc19e855f49adb48c613c4dfe4a40b6694c1fd96e7858eb244622bd8c89df5477318a929f8f4ba1ed77954aa1e1a6f78df51a0d4ded0d27303

Download Submit
C:\Program Files\data.exe

Filesize
378KB

MD5
63e72e6426857181c6c45674ac6d1dc3

SHA1
8bc22a867d3b114f46b8eece5bc1d94b439bd720

SHA256
da7cf732b8f4df15d6c66309b80e45b9baa299ea3ac11eaf6583edd696899c77

SHA512
0af3e7a2fa338aea983a114773bff684c2e7ce39d234cab23b7432167a870c13292869244d30d3c6fc60753b9f1e89081b5f5e8aa1ff8af81a139494c8ba7bfb

Download Submit
C:\Program Files\data.exe

Filesize
378KB

MD5
63e72e6426857181c6c45674ac6d1dc3

SHA1
8bc22a867d3b114f46b8eece5bc1d94b439bd720

SHA256
da7cf732b8f4df15d6c66309b80e45b9baa299ea3ac11eaf6583edd696899c77

SHA512
0af3e7a2fa338aea983a114773bff684c2e7ce39d234cab23b7432167a870c13292869244d30d3c6fc60753b9f1e89081b5f5e8aa1ff8af81a139494c8ba7bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\623142841\backup.exe

Filesize
378KB

MD5
ddb7c00678282b84f3d05b6ecf14df94

SHA1
488f37127d4ee1d473ac57c382a1da75d4a89307

SHA256
ef074d37a682f94a5c48822bbbe2bec5fa932162b8c078ab2cd3d2572f315b9a

SHA512
258d8a569e2267bb9d0e33152cd851141f859de6cf1e8197443113808ed9e9b42d335188e47fdec307c0014fb167ff186399b34f37f6270dd3d5934d8c996291

Download Submit
C:\Users\Admin\AppData\Local\Temp\623142841\backup.exe

Filesize
378KB

MD5
ddb7c00678282b84f3d05b6ecf14df94

SHA1
488f37127d4ee1d473ac57c382a1da75d4a89307

SHA256
ef074d37a682f94a5c48822bbbe2bec5fa932162b8c078ab2cd3d2572f315b9a

SHA512
258d8a569e2267bb9d0e33152cd851141f859de6cf1e8197443113808ed9e9b42d335188e47fdec307c0014fb167ff186399b34f37f6270dd3d5934d8c996291

Download Submit
C:\Users\Admin\AppData\Local\Temp\623142841\backup.exe

Filesize
378KB

MD5
ddb7c00678282b84f3d05b6ecf14df94

SHA1
488f37127d4ee1d473ac57c382a1da75d4a89307

SHA256
ef074d37a682f94a5c48822bbbe2bec5fa932162b8c078ab2cd3d2572f315b9a

SHA512
258d8a569e2267bb9d0e33152cd851141f859de6cf1e8197443113808ed9e9b42d335188e47fdec307c0014fb167ff186399b34f37f6270dd3d5934d8c996291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
378KB

MD5
0c7633977955c6674b4e0667c3c0064d

SHA1
1d0ccb5cb213b6a4f10db8388e7663d9305a7d5e

SHA256
59e13278cba02232ac8f86245da9029888ad536b647675fa891ea9fa9446af76

SHA512
0412e1c4939ea422710651fcb7f519c69e8c9fcc819ed8691dcd7f3f7454a9d967faaa72f638801eb01507f1ba038ca7f3d5bc0d369b3e492d3fbb3cfbf8c2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
378KB

MD5
0c7633977955c6674b4e0667c3c0064d

SHA1
1d0ccb5cb213b6a4f10db8388e7663d9305a7d5e

SHA256
59e13278cba02232ac8f86245da9029888ad536b647675fa891ea9fa9446af76

SHA512
0412e1c4939ea422710651fcb7f519c69e8c9fcc819ed8691dcd7f3f7454a9d967faaa72f638801eb01507f1ba038ca7f3d5bc0d369b3e492d3fbb3cfbf8c2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
378KB

MD5
4985d9434818e298616e7ae5b8e85eb1

SHA1
f328269745e40f0a18d9ddd7ae4d6951026a094c

SHA256
510353dff6640da105e79ff13a757cc5cfba69b56e17911db0d1b2b0f3536310

SHA512
1125c648965610aa0d4576d00ac8c47002678963d09d81be8595be5d63567f9bc90612c7e07b265651386cb08b6e31c2792bf9f74c98ad06fc389e1ce00db5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
378KB

MD5
4985d9434818e298616e7ae5b8e85eb1

SHA1
f328269745e40f0a18d9ddd7ae4d6951026a094c

SHA256
510353dff6640da105e79ff13a757cc5cfba69b56e17911db0d1b2b0f3536310

SHA512
1125c648965610aa0d4576d00ac8c47002678963d09d81be8595be5d63567f9bc90612c7e07b265651386cb08b6e31c2792bf9f74c98ad06fc389e1ce00db5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
378KB

MD5
1e8e02e7bf4443fc6ee5764e0a82f197

SHA1
9a5eb9fdd5fe8a4cea078ce9d4211d8c069bf1c3

SHA256
9623ce0a0d68efcc29ff2db2d11fd6b8f5b05bba7f55511531b251c7a8d86c28

SHA512
03163ff20cac572371ac6e0780397d39cdcba30706de909bcdf91d7b79271443f3c3d0f2d0e84461d83fa72491e760609c8cc87d6886a79ce06b22451984885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
378KB

MD5
1e8e02e7bf4443fc6ee5764e0a82f197

SHA1
9a5eb9fdd5fe8a4cea078ce9d4211d8c069bf1c3

SHA256
9623ce0a0d68efcc29ff2db2d11fd6b8f5b05bba7f55511531b251c7a8d86c28

SHA512
03163ff20cac572371ac6e0780397d39cdcba30706de909bcdf91d7b79271443f3c3d0f2d0e84461d83fa72491e760609c8cc87d6886a79ce06b22451984885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
378KB

MD5
08a7370b235b138147022fd1fbf25222

SHA1
e8404eef1001b678b5b1b5a9889ca200931e5b67

SHA256
2e95b4a084d2c645f5f13c5da6a33a9ea563e3e3a26449a39cfb4cac5f6fbb2d

SHA512
01a13a233e1d559e74a9cd8d686bd82e9c327559c40203adeb079f212624bf0020a6d041bcf0a12ab463c8f329c3d84bc58fa0bf108435f43178d7035c1bca37

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
23KB

MD5
314565f47a872f8d0c8150b09e539cc4

SHA1
38f46691d2d3d059052793584211594522254953

SHA256
1f73ccf09bb2fd5eaac045e12facad71ed03668bd678b569ef9ffc5875d5780e

SHA512
30f23042b5bc422d7e8a9da210849f515ada0cf17ecc3778243844c2ab5b8040da091e94cc7af8ab4676dd2c793980fb53ddbf9c7f63056f8d357498983c7fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{66F838ED-0796-4485-88D6-6506D0F33DCD}\data.exe

Filesize
378KB

MD5
ddb7c00678282b84f3d05b6ecf14df94

SHA1
488f37127d4ee1d473ac57c382a1da75d4a89307

SHA256
ef074d37a682f94a5c48822bbbe2bec5fa932162b8c078ab2cd3d2572f315b9a

SHA512
258d8a569e2267bb9d0e33152cd851141f859de6cf1e8197443113808ed9e9b42d335188e47fdec307c0014fb167ff186399b34f37f6270dd3d5934d8c996291

Download Submit
C:\Users\Admin\AppData\Local\Temp\{66F838ED-0796-4485-88D6-6506D0F33DCD}\data.exe

Filesize
378KB

MD5
ddb7c00678282b84f3d05b6ecf14df94

SHA1
488f37127d4ee1d473ac57c382a1da75d4a89307

SHA256
ef074d37a682f94a5c48822bbbe2bec5fa932162b8c078ab2cd3d2572f315b9a

SHA512
258d8a569e2267bb9d0e33152cd851141f859de6cf1e8197443113808ed9e9b42d335188e47fdec307c0014fb167ff186399b34f37f6270dd3d5934d8c996291

Download Submit
C:\backup.exe

Filesize
378KB

MD5
f8d1d7419211c8c974c91dfee6854a12

SHA1
9e4912341cdb7615197a0c0e10eb29e8f1bea0ab

SHA256
4db682741ff410c5154a3eefb0dbf25beae7234a7e81ee1bbf4a5f12248d43e4

SHA512
b6af2dc39851fb469a8d3077d67afe6a8156b8b0d78cb96ab0364e30ef6e1ecb6878cb922d66bc258e53f8c19bbb8400a8a533dd3cdc20904e42b01144e6949c

Download Submit
C:\backup.exe

Filesize
378KB

MD5
f8d1d7419211c8c974c91dfee6854a12

SHA1
9e4912341cdb7615197a0c0e10eb29e8f1bea0ab

SHA256
4db682741ff410c5154a3eefb0dbf25beae7234a7e81ee1bbf4a5f12248d43e4

SHA512
b6af2dc39851fb469a8d3077d67afe6a8156b8b0d78cb96ab0364e30ef6e1ecb6878cb922d66bc258e53f8c19bbb8400a8a533dd3cdc20904e42b01144e6949c

Download Submit
C:\odt\backup.exe

Filesize
378KB

MD5
f7c50396fef1a466230ee02e8f8aa610

SHA1
65415cb78750ff8c57d2f83b72e12a3f6df88b4c

SHA256
ab4abe2b70c36d7091c984d4b478cc22c44a65901e9ae7a1c986c2bf335e4206

SHA512
9680488f4b4c57c18b83669bf213964501f61b6b2188d8ec5a4cc0095d452967db64982ab5dde660e948fc753eff4ebb0aaee43ee9ad1630d4915c85d27b2cab

Download Submit
C:\odt\backup.exe

Filesize
378KB

MD5
f7c50396fef1a466230ee02e8f8aa610

SHA1
65415cb78750ff8c57d2f83b72e12a3f6df88b4c

SHA256
ab4abe2b70c36d7091c984d4b478cc22c44a65901e9ae7a1c986c2bf335e4206

SHA512
9680488f4b4c57c18b83669bf213964501f61b6b2188d8ec5a4cc0095d452967db64982ab5dde660e948fc753eff4ebb0aaee43ee9ad1630d4915c85d27b2cab

Download Submit
memory/64-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-626-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/396-499-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/492-708-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/632-674-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/640-401-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/716-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/716-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/840-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/880-700-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/932-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/932-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1000-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1004-247-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1052-181-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1136-470-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1136-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1184-467-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1216-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1284-318-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1392-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1436-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1440-217-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-694-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1448-716-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1492-209-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1660-274-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1668-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-726-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1712-550-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-680-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-537-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1960-116-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-438-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2008-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2092-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-288-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2140-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2180-544-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2336-412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2336-614-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2400-567-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-264-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2476-682-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-503-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2716-308-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2840-525-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-224-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-602-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2984-529-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-600-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-530-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3128-345-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3168-232-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3176-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3236-176-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3256-718-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3256-546-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3288-668-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3288-450-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3312-652-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3312-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3364-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3476-239-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3520-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3576-563-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3680-585-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3680-569-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3684-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3888-571-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-601-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3920-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3920-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3920-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3920-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-629-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-615-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3940-426-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-269-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3976-687-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3976-495-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3988-227-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4080-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4084-508-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4132-714-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4132-526-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4144-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4196-678-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4196-501-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4348-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4364-633-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4364-406-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4380-168-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4452-675-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4460-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4464-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4472-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4476-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4488-421-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-335-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4548-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-505-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-560-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-715-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-558-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4948-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5028-589-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5028-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5044-568-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5044-588-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5044-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads