06f75f9690200a806f737e2a6786568b205aa6f15a27ea2309c5aaa6f6a672d4

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0812eb8a3dab6663a95b4f27846d8183.exe
Size

72KB
MD5

0812eb8a3dab6663a95b4f27846d8183
SHA1

352aada2b271bb292513793de4a4cb26a82aed08
SHA256

06f75f9690200a806f737e2a6786568b205aa6f15a27ea2309c5aaa6f6a672d4
SHA512

7513d0e377e054ea7a3e7c3e772e8b4442a1463d13fa3134cfc8eec5ac5fe76d3c0dac02777c8fe404245c782c4c22b5119e16f0513fcd3352ef2b4f3ba2e20e
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2g:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr8

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0812eb8a3dab6663a95b4f27846d8183.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
3680	backup.exe
4316	backup.exe
4712	backup.exe
4528	backup.exe
4928	backup.exe
3196	backup.exe
4648	backup.exe
4556	backup.exe
4612	backup.exe
5056	backup.exe
1840	backup.exe
1364	backup.exe
2444	backup.exe
1548	System Restore.exe
968	backup.exe
540	backup.exe
2108	System Restore.exe
1360	backup.exe
2308	backup.exe
3396	backup.exe
3236	backup.exe
1592	backup.exe
3484	backup.exe
2100	backup.exe
1348	backup.exe
2456	backup.exe
2556	backup.exe
4048	backup.exe
2028	update.exe
1448	backup.exe
2416	backup.exe
1304	update.exe
4468	backup.exe
2692	backup.exe
4652	backup.exe
3596	backup.exe
756	backup.exe
4328	backup.exe
3280	backup.exe
3032	backup.exe
1000	backup.exe
4668	data.exe
4004	backup.exe
3480	backup.exe
3800	backup.exe
2304	backup.exe
3412	backup.exe
1768	data.exe
4484	backup.exe
3140	backup.exe
2068	backup.exe
4460	backup.exe
3688	backup.exe
2980	backup.exe
2876	backup.exe
4608	backup.exe
2024	backup.exe
1564	backup.exe
4428	backup.exe
4436	backup.exe
4268	data.exe
4468	backup.exe
4132	backup.exe
1524	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	mousocoreworker.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\applet\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe	backup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\bcastdvr\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	System Restore.exe
File opened for modification	C:\Windows\DiagTrack\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\shellbrd\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\debug\System Restore.exe	backup.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	update.exe
File opened for modification	C:\Windows\Branding\Basebrd\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\serviced\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	System Restore.exe
File opened for modification	C:\Windows\CbsTemp\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\System Restore.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\update.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\diagnostics\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\update.exe	backup.exe
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\Containers\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1776	0812eb8a3dab6663a95b4f27846d8183.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1776	0812eb8a3dab6663a95b4f27846d8183.exe
3680	backup.exe
4316	backup.exe
4712	backup.exe
4528	backup.exe
4928	backup.exe
3196	backup.exe
4648	backup.exe
4556	backup.exe
4612	backup.exe
5056	backup.exe
1840	backup.exe
1364	backup.exe
2444	backup.exe
1548	System Restore.exe
968	backup.exe
540	backup.exe
2108	System Restore.exe
1360	backup.exe
2308	backup.exe
3396	backup.exe
3236	backup.exe
1592	backup.exe
3484	backup.exe
2100	backup.exe
1348	backup.exe
2456	backup.exe
2556	backup.exe
4048	backup.exe
2028	update.exe
1448	backup.exe
2416	backup.exe
1304	update.exe
4468	backup.exe
2692	backup.exe
4652	backup.exe
3596	backup.exe
756	backup.exe
4328	backup.exe
3280	backup.exe
3032	backup.exe
1000	backup.exe
4668	data.exe
4004	backup.exe
3480	backup.exe
3800	backup.exe
2304	backup.exe
3412	backup.exe
1768	data.exe
4484	backup.exe
3140	backup.exe
2068	backup.exe
4460	backup.exe
3688	backup.exe
2980	backup.exe
2876	backup.exe
4608	backup.exe
2024	backup.exe
1564	backup.exe
4428	backup.exe
4268	data.exe
4436	backup.exe
4468	backup.exe
4132	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 3680	1776	0812eb8a3dab6663a95b4f27846d8183.exe	94
PID 1776 wrote to memory of 3680	1776	0812eb8a3dab6663a95b4f27846d8183.exe	94
PID 1776 wrote to memory of 3680	1776	0812eb8a3dab6663a95b4f27846d8183.exe	94
PID 1776 wrote to memory of 4316	1776	0812eb8a3dab6663a95b4f27846d8183.exe	93
PID 1776 wrote to memory of 4316	1776	0812eb8a3dab6663a95b4f27846d8183.exe	93
PID 1776 wrote to memory of 4316	1776	0812eb8a3dab6663a95b4f27846d8183.exe	93
PID 1776 wrote to memory of 4712	1776	0812eb8a3dab6663a95b4f27846d8183.exe	96
PID 1776 wrote to memory of 4712	1776	0812eb8a3dab6663a95b4f27846d8183.exe	96
PID 1776 wrote to memory of 4712	1776	0812eb8a3dab6663a95b4f27846d8183.exe	96
PID 1776 wrote to memory of 4528	1776	0812eb8a3dab6663a95b4f27846d8183.exe	95
PID 1776 wrote to memory of 4528	1776	0812eb8a3dab6663a95b4f27846d8183.exe	95
PID 1776 wrote to memory of 4528	1776	0812eb8a3dab6663a95b4f27846d8183.exe	95
PID 1776 wrote to memory of 4928	1776	0812eb8a3dab6663a95b4f27846d8183.exe	100
PID 1776 wrote to memory of 4928	1776	0812eb8a3dab6663a95b4f27846d8183.exe	100
PID 1776 wrote to memory of 4928	1776	0812eb8a3dab6663a95b4f27846d8183.exe	100
PID 1776 wrote to memory of 3196	1776	0812eb8a3dab6663a95b4f27846d8183.exe	97
PID 1776 wrote to memory of 3196	1776	0812eb8a3dab6663a95b4f27846d8183.exe	97
PID 1776 wrote to memory of 3196	1776	0812eb8a3dab6663a95b4f27846d8183.exe	97
PID 1776 wrote to memory of 4648	1776	0812eb8a3dab6663a95b4f27846d8183.exe	99
PID 1776 wrote to memory of 4648	1776	0812eb8a3dab6663a95b4f27846d8183.exe	99
PID 1776 wrote to memory of 4648	1776	0812eb8a3dab6663a95b4f27846d8183.exe	99
PID 1776 wrote to memory of 4556	1776	0812eb8a3dab6663a95b4f27846d8183.exe	98
PID 1776 wrote to memory of 4556	1776	0812eb8a3dab6663a95b4f27846d8183.exe	98
PID 1776 wrote to memory of 4556	1776	0812eb8a3dab6663a95b4f27846d8183.exe	98
PID 1776 wrote to memory of 4612	1776	0812eb8a3dab6663a95b4f27846d8183.exe	101
PID 1776 wrote to memory of 4612	1776	0812eb8a3dab6663a95b4f27846d8183.exe	101
PID 1776 wrote to memory of 4612	1776	0812eb8a3dab6663a95b4f27846d8183.exe	101
PID 3680 wrote to memory of 5056	3680	backup.exe	136
PID 3680 wrote to memory of 5056	3680	backup.exe	136
PID 3680 wrote to memory of 5056	3680	backup.exe	136
PID 4612 wrote to memory of 1840	4612	backup.exe	102
PID 4612 wrote to memory of 1840	4612	backup.exe	102
PID 4612 wrote to memory of 1840	4612	backup.exe	102
PID 5056 wrote to memory of 1364	5056	backup.exe	135
PID 5056 wrote to memory of 1364	5056	backup.exe	135
PID 5056 wrote to memory of 1364	5056	backup.exe	135
PID 1840 wrote to memory of 2444	1840	backup.exe	103
PID 1840 wrote to memory of 2444	1840	backup.exe	103
PID 1840 wrote to memory of 2444	1840	backup.exe	103
PID 5056 wrote to memory of 1548	5056	backup.exe	134
PID 5056 wrote to memory of 1548	5056	backup.exe	134
PID 5056 wrote to memory of 1548	5056	backup.exe	134
PID 5056 wrote to memory of 968	5056	backup.exe	104
PID 5056 wrote to memory of 968	5056	backup.exe	104
PID 5056 wrote to memory of 968	5056	backup.exe	104
PID 968 wrote to memory of 540	968	backup.exe	105
PID 968 wrote to memory of 540	968	backup.exe	105
PID 968 wrote to memory of 540	968	backup.exe	105
PID 540 wrote to memory of 2108	540	backup.exe	111
PID 540 wrote to memory of 2108	540	backup.exe	111
PID 540 wrote to memory of 2108	540	backup.exe	111
PID 968 wrote to memory of 1360	968	backup.exe	110
PID 968 wrote to memory of 1360	968	backup.exe	110
PID 968 wrote to memory of 1360	968	backup.exe	110
PID 1360 wrote to memory of 2308	1360	backup.exe	106
PID 1360 wrote to memory of 2308	1360	backup.exe	106
PID 1360 wrote to memory of 2308	1360	backup.exe	106
PID 1360 wrote to memory of 3396	1360	backup.exe	109
PID 1360 wrote to memory of 3396	1360	backup.exe	109
PID 1360 wrote to memory of 3396	1360	backup.exe	109
PID 3396 wrote to memory of 3236	3396	backup.exe	107
PID 3396 wrote to memory of 3236	3396	backup.exe	107
PID 3396 wrote to memory of 3236	3396	backup.exe	107
PID 3396 wrote to memory of 1592	3396	backup.exe	108

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe

C:\Users\Admin\AppData\Local\Temp\0812eb8a3dab6663a95b4f27846d8183.exe
"C:\Users\Admin\AppData\Local\Temp\0812eb8a3dab6663a95b4f27846d8183.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\2219311483\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2219311483\backup.exe C:\Users\Admin\AppData\Local\Temp\2219311483\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\{11BBD838-5A68-43A7-A04D-E0D75B51D1D1}\backup.exe
  C:\Users\Admin\AppData\Local\Temp\{11BBD838-5A68-43A7-A04D-E0D75B51D1D1}\backup.exe C:\Users\Admin\AppData\Local\Temp\{11BBD838-5A68-43A7-A04D-E0D75B51D1D1}\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5056
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1564
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4132
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
        6⤵
        Disables RegEdit via registry modification
        
        PID:3032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
        7⤵
        
        PID:1208
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
        8⤵
        Drops file in Program Files directory
        
        PID:1384
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
        9⤵
        
        PID:4580
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
        9⤵
        
        PID:2864
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
        8⤵
        
        PID:4044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
        8⤵
        
        PID:5068
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3420
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
        8⤵
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
        8⤵
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
        9⤵
        
        PID:4264
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
        8⤵
        
        PID:4404
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
        9⤵
        
        PID:4960
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
        8⤵
        
        PID:3484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:4484
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
        8⤵
        Disables RegEdit via registry modification
        
        PID:4132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\
        8⤵
        
        PID:460
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
        8⤵
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:3088
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
        8⤵
        System policy modification
        
        PID:3604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
        7⤵
        
        PID:2604
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
        8⤵
        
        PID:4132
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
        9⤵
        
        PID:2416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
        8⤵
        
        PID:3932
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
        8⤵
        
        PID:4736
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
        7⤵
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
        8⤵
        
        PID:1956
        
        C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\
        9⤵
        
        PID:5040
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:3044
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1228
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1436
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2148
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:4608
      - C:\Program Files (x86)\Common Files\Oracle\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\backup.exe" C:\Program Files (x86)\Common Files\Oracle\
        6⤵
        
        PID:2692
        
        C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\
        7⤵
        Drops file in Program Files directory
        
        PID:4600
        
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe
        
        "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\backup.exe" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
        8⤵
        Drops file in Program Files directory
        
        PID:4852
      - C:\Program Files (x86)\Common Files\Services\update.exe
        
        "C:\Program Files (x86)\Common Files\Services\update.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        Drops file in Program Files directory
        
        PID:4276
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        System policy modification
        
        PID:3024
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:5356
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:5080
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:5500
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:6056
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:5516
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\data.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\data.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:6072
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5496
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:6052
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5288
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:5408
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:5276
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\
        8⤵
        
        PID:5208
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:6048
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:844
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:5964
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:5300
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:4844
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:4372
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:872
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:4152
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:3744
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        System policy modification
        
        PID:2124
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:5440
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        Drops file in Program Files directory
        
        PID:2712
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:5952
      - C:\Program Files (x86)\Internet Explorer\images\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
        6⤵
        
        PID:4476
    - - C:\Program Files (x86)\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Microsoft\backup.exe" C:\Program Files (x86)\Microsoft\
        5⤵
        Drops file in Program Files directory
        
        PID:4976
      - C:\Program Files (x86)\Microsoft\Edge\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
        6⤵
        Drops file in Program Files directory
        
        PID:2980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
        7⤵
        
        PID:4932
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\
        6⤵
        
        PID:5468
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\
        7⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\
        8⤵
        
        PID:5724
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.181.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.181.5\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.181.5\
        9⤵
        
        PID:940
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\
        7⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{E4FBDD16-2A1A-4FDF-9C8E-10478DC21AD4}\backup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{E4FBDD16-2A1A-4FDF-9C8E-10478DC21AD4}\backup.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{E4FBDD16-2A1A-4FDF-9C8E-10478DC21AD4}\
        8⤵
        
        PID:676
      - C:\Program Files (x86)\Microsoft\Temp\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\backup.exe" C:\Program Files (x86)\Microsoft\Temp\
        6⤵
        
        PID:6000
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:4036
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:5548
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:6040
    - - C:\Program Files (x86)\Reference Assemblies\data.exe
        
        "C:\Program Files (x86)\Reference Assemblies\data.exe" C:\Program Files (x86)\Reference Assemblies\
        5⤵
        
        PID:5200
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        Disables RegEdit via registry modification
        
        PID:5300
    - - C:\Program Files (x86)\Windows Defender\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\backup.exe" C:\Program Files (x86)\Windows Defender\
        5⤵
        
        PID:392
      - C:\Program Files (x86)\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\de-DE\backup.exe" C:\Program Files (x86)\Windows Defender\de-DE\
        6⤵
        
        PID:5748
      - C:\Program Files (x86)\Windows Defender\es-ES\backup.exe
        
        "C:\Program Files (x86)\Windows Defender\es-ES\backup.exe" C:\Program Files (x86)\Windows Defender\es-ES\
        6⤵
        
        PID:384
      - C:\Program Files (x86)\Windows Defender\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\System Restore.exe" C:\Program Files (x86)\Windows Defender\fr-FR\
        6⤵
        
        PID:5960
    - - C:\Program Files (x86)\Windows Mail\backup.exe
        
        "C:\Program Files (x86)\Windows Mail\backup.exe" C:\Program Files (x86)\Windows Mail\
        5⤵
        
        PID:4808
    - - C:\Program Files (x86)\Windows Media Player\backup.exe
        
        "C:\Program Files (x86)\Windows Media Player\backup.exe" C:\Program Files (x86)\Windows Media Player\
        5⤵
        
        PID:6064
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:1636
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2704
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:3208
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1248
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:3236
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:4864
    - - C:\Windows\apppatch\backup.exe
        
        C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
        5⤵
        
        PID:1908
      - C:\Windows\apppatch\AppPatch64\backup.exe
        
        C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
        6⤵
        
        PID:3328
      - C:\Windows\apppatch\Custom\backup.exe
        
        C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
        6⤵
        
        PID:4136
        
        C:\Windows\apppatch\Custom\Custom64\data.exe
        
        C:\Windows\apppatch\Custom\Custom64\data.exe C:\Windows\apppatch\Custom\Custom64\
        7⤵
        
        PID:2124
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System Restore.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System Restore.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:2088
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:4144
      - C:\Windows\apppatch\CustomSDB\backup.exe
        
        C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
        6⤵
        
        PID:3660
      - C:\Windows\apppatch\de-DE\backup.exe
        
        C:\Windows\apppatch\de-DE\backup.exe C:\Windows\apppatch\de-DE\
        6⤵
        
        PID:1612
      - C:\Windows\apppatch\en-US\backup.exe
        
        C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
        6⤵
        
        PID:4956
      - C:\Windows\apppatch\it-IT\backup.exe
        
        C:\Windows\apppatch\it-IT\backup.exe C:\Windows\apppatch\it-IT\
        6⤵
        
        PID:5840
    - - C:\Windows\appcompat\backup.exe
        
        C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
        5⤵
        Drops file in Windows directory
        
        PID:1924
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:4036
    - - C:\Windows\AppReadiness\backup.exe
        
        C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
        5⤵
        Drops file in Program Files directory
        
        PID:2452
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:3892
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4664
        
        C:\Windows\assembly\GAC\ADODB\update.exe
        
        C:\Windows\assembly\GAC\ADODB\update.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        
        PID:4720
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Drops file in Program Files directory
        
        PID:1956
        
        C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1036\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1036\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2276
        
        C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\3082\backup.exe" C:\Program Files\Microsoft Office\root\Office16\3082\
        9⤵
        
        PID:2452
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\
        9⤵
        
        PID:1716
        
        C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\backup.exe" C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\
        10⤵
        
        PID:424
        
        C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\AugLoop\backup.exe" C:\Program Files\Microsoft Office\root\Office16\AugLoop\
        9⤵
        
        PID:3352
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:1436
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5728
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        Drops file in Windows directory
        
        PID:5788
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:5952
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        Drops file in Windows directory
        
        PID:6020
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:4152
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:5412
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\
        8⤵
        Disables RegEdit via registry modification
        
        PID:5804
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        8⤵
        
        PID:6028
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\update.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\update.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        8⤵
        
        PID:6008
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:5320
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:1612
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:5844
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5404
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\CustomMarshalers\System Restore.exe" C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:4556
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Drops file in Windows directory
        
        PID:780
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1744
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1984
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:4644
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1384
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_64\Microsoft.Ink\
        7⤵
        
        PID:2108
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:760
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:4008
    - - C:\Windows\bcastdvr\backup.exe
        
        C:\Windows\bcastdvr\backup.exe C:\Windows\bcastdvr\
        5⤵
        
        PID:748
    - - C:\Windows\Containers\System Restore.exe
        
        "C:\Windows\Containers\System Restore.exe" C:\Windows\Containers\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:1316
      - C:\Windows\Containers\serviced\backup.exe
        
        C:\Windows\Containers\serviced\backup.exe C:\Windows\Containers\serviced\
        6⤵
        
        PID:5384
    - - C:\Windows\debug\System Restore.exe
        
        "C:\Windows\debug\System Restore.exe" C:\Windows\debug\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:4036
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:2640
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:2108
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:4116
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:5964
    - - C:\Windows\CbsTemp\backup.exe
        
        C:\Windows\CbsTemp\backup.exe C:\Windows\CbsTemp\
        5⤵
        
        PID:5600
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        Drops file in Program Files directory
        Drops file in Windows directory
        
        PID:4008
    - - C:\Windows\DiagTrack\backup.exe
        
        C:\Windows\DiagTrack\backup.exe C:\Windows\DiagTrack\
        5⤵
        Drops file in Windows directory
        
        PID:3684
      - C:\Windows\DiagTrack\Scenarios\backup.exe
        
        C:\Windows\DiagTrack\Scenarios\backup.exe C:\Windows\DiagTrack\Scenarios\
        6⤵
        
        PID:5180
      - C:\Windows\DiagTrack\Settings\backup.exe
        
        C:\Windows\DiagTrack\Settings\backup.exe C:\Windows\DiagTrack\Settings\
        6⤵
        
        PID:5492
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:5504
      - C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        
        PID:3096
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:2712
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4712
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3196
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4556
- - C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
    C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
    3⤵
    PID:2880
  - - C:\Program Files\Microsoft Office\root\Integration\Addons\update.exe
      "C:\Program Files\Microsoft Office\root\Integration\Addons\update.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
      4⤵
      PID:2108
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe
  C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe
    C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe
      C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2444

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:968
- C:\Program Files\7-Zip\backup.exe
  "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:540
- - C:\Program Files\7-Zip\Lang\System Restore.exe
    "C:\Program Files\7-Zip\Lang\System Restore.exe" C:\Program Files\7-Zip\Lang\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2108
- C:\Program Files\Common Files\backup.exe
  "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1360
- - C:\Program Files\Common Files\Services\backup.exe
    "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4428
- - C:\Program Files\Common Files\System\data.exe
    "C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
    3⤵
    - System policy modification
    PID:364
  - - C:\Program Files\Common Files\System\ado\backup.exe
      "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:808
    - - C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:4212
    - - C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        5⤵
        
        PID:4488
    - - C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        5⤵
        
        PID:1448
    - - C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        5⤵
        
        PID:4648
    - - C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        5⤵
        
        PID:3248
  - - C:\Program Files\Common Files\System\en-US\backup.exe
      "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
      4⤵
      PID:4932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
        5⤵
        Drops file in Program Files directory
        
        PID:4132
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\
        6⤵
        
        PID:6104
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\
        6⤵
        
        PID:6068
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\
        6⤵
        
        PID:4072
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\
        6⤵
        System policy modification
        
        PID:4528
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\
        6⤵
        
        PID:5252
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5900
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\
        6⤵
        
        PID:6100
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
        6⤵
        
        PID:6092
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:5904
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
        6⤵
        
        PID:5388
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\
        6⤵
        
        PID:4620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\
        7⤵
        
        PID:3248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\
        7⤵
        
        PID:4268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\
        7⤵
        
        PID:4736
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\
        6⤵
        
        PID:4372
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\
        6⤵
        
        PID:5536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\
        5⤵
        System policy modification
        
        PID:736
  - - C:\Program Files\Common Files\System\it-IT\backup.exe
      "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
      4⤵
      PID:2964
  - - C:\Program Files\Common Files\System\msadc\backup.exe
      "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
      4⤵
      PID:2452
    - - C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        5⤵
        
        PID:1716
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:3140
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:5560
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:5288
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:5696
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:5220
    - - C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        5⤵
        
        PID:3824
    - - C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        5⤵
        
        PID:3028
    - - C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1532
  - - C:\Program Files\Common Files\System\Ole DB\backup.exe
      "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
      4⤵
      PID:2148
    - - C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        5⤵
        
        PID:4960
    - - C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
      - C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
        6⤵
        Drops file in Program Files directory
        
        PID:5748
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
        7⤵
        System policy modification
        
        PID:5440
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
        7⤵
        
        PID:5576
        
        C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
        7⤵
        
        PID:2108
      - C:\Program Files\Microsoft Office\root\loc\backup.exe
        
        "C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5492
      - C:\Program Files\Microsoft Office\root\Office15\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
        6⤵
        
        PID:6096
      - C:\Program Files\Microsoft Office\root\Office16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\backup.exe" C:\Program Files\Microsoft Office\root\Office16\
        6⤵
        
        PID:1956
      - C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
        6⤵
        
        PID:5848
      - C:\Program Files\Microsoft Office\root\Licenses\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
        6⤵
        
        PID:4644
      - C:\Program Files\Microsoft Office\root\Integration\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
        6⤵
        
        PID:2880
      - C:\Program Files\Microsoft Office\root\fre\backup.exe
        
        "C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
        6⤵
        
        PID:5848
      - C:\Program Files\Microsoft Office\root\Client\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
        6⤵
        Drops file in Program Files directory
        
        PID:5040
        
        C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\
        7⤵
        
        PID:536
        
        C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\
        7⤵
        
        PID:5980
        
        C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\backup.exe" C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\
        7⤵
        
        PID:5824
    - - C:\Program Files\Common Files\System\Ole DB\it-IT\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\update.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        5⤵
        
        PID:2648
    - - C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
    - - C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        5⤵
        
        PID:3692
    - - C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        5⤵
        
        PID:4048
- C:\Program Files\dotnet\backup.exe
  "C:\Program Files\dotnet\backup.exe" C:\Program Files\dotnet\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4436
- - C:\Program Files\dotnet\host\backup.exe
    "C:\Program Files\dotnet\host\backup.exe" C:\Program Files\dotnet\host\
    3⤵
    PID:5116
  - - C:\Program Files\dotnet\host\fxr\backup.exe
      "C:\Program Files\dotnet\host\fxr\backup.exe" C:\Program Files\dotnet\host\fxr\
      4⤵
      System policy modification
      PID:5040
    - - C:\Program Files\dotnet\host\fxr\6.0.25\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\6.0.25\backup.exe" C:\Program Files\dotnet\host\fxr\6.0.25\
        5⤵
        
        PID:2100
    - - C:\Program Files\dotnet\host\fxr\8.0.0\backup.exe
        
        "C:\Program Files\dotnet\host\fxr\8.0.0\backup.exe" C:\Program Files\dotnet\host\fxr\8.0.0\
        5⤵
        System policy modification
        
        PID:4076
- - C:\Program Files\dotnet\shared\backup.exe
    "C:\Program Files\dotnet\shared\backup.exe" C:\Program Files\dotnet\shared\
    3⤵
    PID:2020
  - - C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe
      "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4468
    - - C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3952
    - - C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\backup.exe
        
        "C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\backup.exe" C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\
        5⤵
        
        PID:1448
  - - C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe
      "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\
      4⤵
      System policy modification
      PID:4104
- - C:\Program Files\dotnet\swidtag\backup.exe
    "C:\Program Files\dotnet\swidtag\backup.exe" C:\Program Files\dotnet\swidtag\
    3⤵
    PID:1476
- C:\Program Files\Google\backup.exe
  "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
  2⤵
  PID:4208
- - C:\Program Files\Google\Chrome\backup.exe
    "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
    3⤵
    PID:3596
- C:\Program Files\Internet Explorer\backup.exe
  "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
  2⤵
  PID:672
- - C:\Program Files\Internet Explorer\de-DE\backup.exe
    "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
    3⤵
    PID:4136
- - C:\Program Files\Internet Explorer\es-ES\System Restore.exe
    "C:\Program Files\Internet Explorer\es-ES\System Restore.exe" C:\Program Files\Internet Explorer\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:2516
- - C:\Program Files\Internet Explorer\fr-FR\backup.exe
    "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
    3⤵
    PID:1448
- - C:\Program Files\Internet Explorer\images\backup.exe
    "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4512
- - C:\Program Files\Internet Explorer\it-IT\backup.exe
    "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
    3⤵
    PID:3932
- - C:\Program Files\Internet Explorer\ja-JP\backup.exe
    "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
    3⤵
    PID:1908
- - C:\Program Files\Internet Explorer\en-US\backup.exe
    "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
    3⤵
    PID:4100
- - C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe
    "C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files\Internet Explorer\SIGNUP\
    3⤵
    PID:1904
- - C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
    "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
    3⤵
    PID:2808
- C:\Program Files\Java\backup.exe
  "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
  2⤵
  PID:2348
- - C:\Program Files\Java\jre-1.8\backup.exe
    "C:\Program Files\Java\jre-1.8\backup.exe" C:\Program Files\Java\jre-1.8\
    3⤵
    - Drops file in Program Files directory
    PID:4604
  - - C:\Program Files\Java\jre-1.8\bin\backup.exe
      "C:\Program Files\Java\jre-1.8\bin\backup.exe" C:\Program Files\Java\jre-1.8\bin\
      4⤵
      PID:2808
    - - C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\dtplugin\backup.exe" C:\Program Files\Java\jre-1.8\bin\dtplugin\
        5⤵
        
        PID:3764
    - - C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\plugin2\backup.exe" C:\Program Files\Java\jre-1.8\bin\plugin2\
        5⤵
        
        PID:1812
    - - C:\Program Files\Java\jre-1.8\bin\server\backup.exe
        
        "C:\Program Files\Java\jre-1.8\bin\server\backup.exe" C:\Program Files\Java\jre-1.8\bin\server\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2136
  - - C:\Program Files\Java\jre-1.8\legal\backup.exe
      "C:\Program Files\Java\jre-1.8\legal\backup.exe" C:\Program Files\Java\jre-1.8\legal\
      4⤵
      System policy modification
      PID:3620
    - - C:\Program Files\Java\jre-1.8\legal\javafx\data.exe
        
        "C:\Program Files\Java\jre-1.8\legal\javafx\data.exe" C:\Program Files\Java\jre-1.8\legal\javafx\
        5⤵
        
        PID:3808
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\
        6⤵
        
        PID:5736
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        7⤵
        
        PID:3488
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6044
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\
        8⤵
        
        PID:5416
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\
        8⤵
        
        PID:3628
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\
        8⤵
        
        PID:4672
    - - C:\Program Files\Java\jre-1.8\legal\jdk\System Restore.exe
        
        "C:\Program Files\Java\jre-1.8\legal\jdk\System Restore.exe" C:\Program Files\Java\jre-1.8\legal\jdk\
        5⤵
        Drops file in Windows directory
        
        PID:1436
  - - C:\Program Files\Java\jre-1.8\lib\backup.exe
      "C:\Program Files\Java\jre-1.8\lib\backup.exe" C:\Program Files\Java\jre-1.8\lib\
      4⤵
      Drops file in Program Files directory
      PID:3524
- C:\Program Files\Microsoft Office\backup.exe
  "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
  2⤵
  PID:4044
- - C:\Program Files\Microsoft Office\Office16\backup.exe
    "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
    3⤵
    PID:4476
- - C:\Program Files\Microsoft Office\PackageManifests\backup.exe
    "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
    3⤵
    PID:4184
- - C:\Program Files\Microsoft Office\Updates\backup.exe
    "C:\Program Files\Microsoft Office\Updates\backup.exe" C:\Program Files\Microsoft Office\Updates\
    3⤵
    PID:1660
  - - C:\Program Files\Microsoft Office\Updates\Download\backup.exe
      "C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
      4⤵
      PID:6096
    - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\System Restore.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\System Restore.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
        5⤵
        
        PID:3000
      - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BC38F05-20C0-4D3A-8C7C-72786C413F21\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BC38F05-20C0-4D3A-8C7C-72786C413F21\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BC38F05-20C0-4D3A-8C7C-72786C413F21\
        6⤵
        
        PID:5500
        
        C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BC38F05-20C0-4D3A-8C7C-72786C413F21\root\backup.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BC38F05-20C0-4D3A-8C7C-72786C413F21\root\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BC38F05-20C0-4D3A-8C7C-72786C413F21\root\
        7⤵
        
        PID:4492
- - C:\Program Files\Microsoft Office\root\backup.exe
    "C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
    3⤵
    - Drops file in Program Files directory
    PID:2416
  - - C:\Program Files\Microsoft Office\root\rsod\backup.exe
      "C:\Program Files\Microsoft Office\root\rsod\backup.exe" C:\Program Files\Microsoft Office\root\rsod\
      4⤵
      PID:5884
  - - C:\Program Files\Microsoft Office\root\Templates\data.exe
      "C:\Program Files\Microsoft Office\root\Templates\data.exe" C:\Program Files\Microsoft Office\root\Templates\
      4⤵
      PID:5764
    - - C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\root\Templates\1033\backup.exe" C:\Program Files\Microsoft Office\root\Templates\1033\
        5⤵
        
        PID:3284
  - - C:\Program Files\Microsoft Office\root\vfs\backup.exe
      "C:\Program Files\Microsoft Office\root\vfs\backup.exe" C:\Program Files\Microsoft Office\root\vfs\
      4⤵
      PID:5780
- C:\Program Files\Microsoft Office 15\backup.exe
  "C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
  2⤵
  PID:4004
- - C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
    "C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
    3⤵
    PID:672
- C:\Program Files\MSBuild\backup.exe
  "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
  2⤵
  PID:5608
- C:\Program Files\Mozilla Firefox\backup.exe
  "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
  2⤵
  PID:1716
- C:\Program Files\Reference Assemblies\backup.exe
  "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
  2⤵
  PID:2952
- - C:\Program Files\Reference Assemblies\Microsoft\System Restore.exe
    "C:\Program Files\Reference Assemblies\Microsoft\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\
    3⤵
    PID:1448
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
      4⤵
      PID:3524
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        5⤵
        
        PID:5828
- C:\Program Files\VideoLAN\backup.exe
  "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
  2⤵
  PID:4308
- - C:\Program Files\VideoLAN\VLC\backup.exe
    "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
    3⤵
    PID:6036
- C:\Program Files\Windows Defender\data.exe
  "C:\Program Files\Windows Defender\data.exe" C:\Program Files\Windows Defender\
  2⤵
  PID:1348

C:\Program Files\Common Files\DESIGNER\backup.exe
"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3236
- C:\Users\Admin\Contacts\backup.exe
  C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
  2⤵
  - Disables RegEdit via registry modification
  PID:1528
- C:\Users\Admin\Documents\backup.exe
  C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
  2⤵
  PID:1984
- C:\Users\Admin\Downloads\backup.exe
  C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
  2⤵
  PID:4436
- C:\Users\Admin\Links\backup.exe
  C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
  2⤵
  PID:2808
- C:\Users\Admin\Pictures\backup.exe
  C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
  2⤵
  PID:4672
- - C:\Users\Admin\Pictures\Camera Roll\backup.exe
    "C:\Users\Admin\Pictures\Camera Roll\backup.exe" C:\Users\Admin\Pictures\Camera Roll\
    3⤵
    PID:760
- - C:\Users\Admin\Pictures\Saved Pictures\backup.exe
    "C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
    3⤵
    PID:1956
- C:\Users\Admin\Videos\backup.exe
  C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
  2⤵
  PID:4012
- C:\Users\Admin\Searches\backup.exe
  C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
  2⤵
  PID:4072
- C:\Users\Admin\Saved Games\backup.exe
  "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
  2⤵
  PID:4324
- C:\Users\Admin\OneDrive\backup.exe
  C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
  2⤵
  PID:3396
- - C:\Program Files\Common Files\microsoft shared\VC\backup.exe
    "C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
    3⤵
    PID:2548
- - C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
    "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
    3⤵
    - Drops file in Program Files directory
    PID:672
- - C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
    "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
    3⤵
    - System policy modification
    PID:1228
- - C:\Program Files\Common Files\microsoft shared\Source Engine\update.exe
    "C:\Program Files\Common Files\microsoft shared\Source Engine\update.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1012
- C:\Users\Admin\Music\backup.exe
  C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
  2⤵
  PID:932
- C:\Users\Admin\Favorites\backup.exe
  C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
  2⤵
  PID:2612
- C:\Users\Admin\Desktop\backup.exe
  C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
  2⤵
  PID:4808
- C:\Users\Admin\3D Objects\data.exe
  "C:\Users\Admin\3D Objects\data.exe" C:\Users\Admin\3D Objects\
  2⤵
  PID:4272

C:\Program Files\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1592
- C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3484
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
    3⤵
    PID:3520
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
      4⤵
      Disables RegEdit via registry modification
      PID:3732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
    3⤵
    PID:4468
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\
      4⤵
      PID:2612
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\
    3⤵
    PID:4600
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
    3⤵
    PID:4700
- C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2100
- C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2456
- C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe
  "C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1448
- C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4048
- C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2416
- C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4468
- C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2692
- C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4652
- C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3596
- - C:\Program Files\Google\Chrome\Application\backup.exe
    "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
    3⤵
    - Disables RegEdit via registry modification
    PID:4164
  - - C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
      "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
      4⤵
      PID:4404
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2676
- C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:756
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4328
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3280
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1000
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4668
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4004
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3480
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3800
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2304
- - C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe
    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3412
- C:\Program Files\Common Files\microsoft shared\ink\es-MX\update.exe
  "C:\Program Files\Common Files\microsoft shared\ink\es-MX\update.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1304
- C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2556
- C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1348
- C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe
  "C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1768
- C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4484
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\data.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
    3⤵
    - Disables RegEdit via registry modification
    PID:1360
- C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3140
- C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2068
- C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4460
- C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3688
- C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2980
- C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4608
- - C:\Program Files (x86)\Common Files\Adobe\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
    3⤵
    - Drops file in Program Files directory
    PID:5020
  - - C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
      4⤵
      PID:3952
    - - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
        5⤵
        
        PID:4136
  - - C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
      4⤵
      PID:3088
    - - C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
        5⤵
        
        PID:3448
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
      4⤵
      PID:940
  - - C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
      4⤵
      PID:4544
- - C:\Program Files (x86)\Common Files\Java\backup.exe
    "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Drops file in Program Files directory
    PID:364
  - - C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
      "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
      4⤵
      PID:4924
  - - C:\Program Files\Common Files\System\ja-JP\backup.exe
      "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
      4⤵
      PID:4028
  - - C:\Program Files\Common Files\System\fr-FR\backup.exe
      "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
      4⤵
      PID:2148
  - - C:\Program Files\Common Files\System\es-ES\backup.exe
      "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
      4⤵
      PID:3772
  - - C:\Program Files\Common Files\System\de-DE\System Restore.exe
      "C:\Program Files\Common Files\System\de-DE\System Restore.exe" C:\Program Files\Common Files\System\de-DE\
      4⤵
      PID:2548
- - C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:4120
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
      4⤵
      PID:4852
    - - C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
        5⤵
        
        PID:2640
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
      4⤵
      PID:1660
    - - C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
        5⤵
        
        PID:4404
    - - C:\Program Files\Microsoft Office\Updates\Apply\data.exe
        
        "C:\Program Files\Microsoft Office\Updates\Apply\data.exe" C:\Program Files\Microsoft Office\Updates\Apply\
        5⤵
        
        PID:4724
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
      4⤵
      PID:5992
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\System Restore.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\System Restore.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2312
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\
      4⤵
      Disables RegEdit via registry modification
      PID:5384
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:5360
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
      4⤵
      Drops file in Program Files directory
      PID:5256
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
      4⤵
      PID:4080
  - - C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe
      "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\
      4⤵
      PID:5552
    - - C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\
        5⤵
        
        PID:6140
      - C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\
        6⤵
        
        PID:4824
- C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
  2⤵
  PID:4468
- C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
  2⤵
  PID:4308
- C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
  2⤵
  PID:2092
- C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
  2⤵
  PID:4788
- C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
  2⤵
  PID:2788
- C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
  2⤵
  PID:556
- C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
  2⤵
  PID:5060
- C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
  2⤵
  PID:4464
- C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
  2⤵
  PID:1304
- C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
  2⤵
  PID:224
- C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
  2⤵
  PID:760
- C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe
  "C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
  2⤵
  PID:3604
- C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
  2⤵
  PID:3624
- C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
  2⤵
  PID:4428
- C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:4276
- C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
  "C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:2940

C:\Program Files\Common Files\microsoft shared\backup.exe
"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3396
- C:\Program Files\Common Files\microsoft shared\MSInfo\data.exe
  "C:\Program Files\Common Files\microsoft shared\MSInfo\data.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4268
- - C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
    "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
    3⤵
    PID:3952
- - C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
    "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    PID:1524
- - C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
    "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
    3⤵
    PID:4136
- - C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
    "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
    3⤵
    PID:932
- - C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
    "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2548
- - C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
    "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:4860
- C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
  "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
  2⤵
  - Disables RegEdit via registry modification
  PID:1844
- - C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
    "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
    3⤵
    PID:3160
- C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\data.exe
  "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\data.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
  2⤵
  PID:4164
- C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
  "C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
  2⤵
  PID:972
- - C:\Program Files\Common Files\microsoft shared\Triedit\en-US\data.exe
    "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\data.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
    3⤵
    PID:1820
- C:\Program Files\Common Files\microsoft shared\VGX\update.exe
  "C:\Program Files\Common Files\microsoft shared\VGX\update.exe" C:\Program Files\Common Files\microsoft shared\VGX\
  2⤵
  PID:5040
- C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
  "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
  2⤵
  PID:4128

C:\PerfLogs\System Restore.exe
"C:\PerfLogs\System Restore.exe" C:\PerfLogs\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548

C:\odt\backup.exe
C:\odt\backup.exe C:\odt\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1364

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\backup.exe
"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\
1⤵
- Drops file in Program Files directory
PID:3160
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2068
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\
  2⤵
  PID:1544
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\
  2⤵
  PID:3264
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\
  2⤵
  PID:4808
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System Restore.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System Restore.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\
  2⤵
  PID:4648
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\
  2⤵
  PID:1228
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\update.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\update.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System policy modification
  PID:2768
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3220
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\
  2⤵
  PID:1448
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\
  2⤵
  PID:4484
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\
  2⤵
  PID:4272
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\
  2⤵
  PID:2704
- - C:\Users\Public\Pictures\backup.exe
    C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
    3⤵
    PID:2108
- - C:\Users\Public\Videos\data.exe
    C:\Users\Public\Videos\data.exe C:\Users\Public\Videos\
    3⤵
    PID:2028
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\
  2⤵
  PID:932

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
1⤵
PID:4428
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
  2⤵
  PID:4400
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
    3⤵
    PID:3936
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
    3⤵
    PID:3220
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
    3⤵
    PID:3916
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
  2⤵
  PID:2152

C:\Program Files\Common Files\System\msadc\de-DE\data.exe
"C:\Program Files\Common Files\System\msadc\de-DE\data.exe" C:\Program Files\Common Files\System\msadc\de-DE\
1⤵
PID:3952

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
1⤵
PID:4956
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
  2⤵
  - Drops file in Program Files directory
  - System policy modification
  PID:1468
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
    3⤵
    PID:3704
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\update.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\update.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
    3⤵
    PID:848

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
1⤵
PID:1208
- C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
  "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
  2⤵
  PID:4048

C:\Program Files\Common Files\System\msadc\en-US\update.exe
"C:\Program Files\Common Files\System\msadc\en-US\update.exe" C:\Program Files\Common Files\System\msadc\en-US\
1⤵
PID:4628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\update.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
1⤵
PID:100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
1⤵
PID:1992

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe
"C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\
1⤵
PID:5060

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
1⤵
PID:884

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
1⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:3952
- C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
  "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
  2⤵
  PID:3140
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\data.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\data.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
    3⤵
    PID:116
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
      4⤵
      PID:848
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\
      4⤵
      PID:3640
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\
      4⤵
      PID:2460
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\
    3⤵
    PID:808
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\
      4⤵
      PID:3692
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\
      4⤵
      PID:2148
  - - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\
      4⤵
      PID:4136
  - - C:\Program Files\Common Files\System\ado\ja-JP\update.exe
      "C:\Program Files\Common Files\System\ado\ja-JP\update.exe" C:\Program Files\Common Files\System\ado\ja-JP\
      4⤵
      PID:3044
    - - C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\amd64\
        5⤵
        
        PID:5228
    - - C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\applet\
        5⤵
        
        PID:5680
    - - C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\deploy\
        5⤵
        
        PID:5156
    - - C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\ext\
        5⤵
        System policy modification
        
        PID:5948
    - - C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\fonts\
        5⤵
        
        PID:4956
    - - C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\
        5⤵
        Disables RegEdit via registry modification
        
        PID:4892
      - C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\
        6⤵
        
        PID:5392
    - - C:\Program Files\Java\jdk-1.8\jre\lib\security\update.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\update.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\
        5⤵
        
        PID:1984
      - C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\
        6⤵
        
        PID:2484
    - - C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\management\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\management\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5340
    - - C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\jfr\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5292
    - - C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk-1.8\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\cmm\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
- - C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
    "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
    3⤵
    PID:2712

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
1⤵
PID:5040

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\backup.exe
"C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\
1⤵
PID:4276
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\
  2⤵
  - System policy modification
  PID:1668
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\
  2⤵
  PID:2140
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\
  2⤵
  PID:2108
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\update.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\update.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\
  2⤵
  PID:1352
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\
  2⤵
  PID:4852
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\
  2⤵
  PID:1744
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\
  2⤵
  - Disables RegEdit via registry modification
  PID:4648
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\
  2⤵
  PID:4436
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  - System policy modification
  PID:1180
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\data.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\data.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\
  2⤵
  PID:1196
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\
  2⤵
  PID:2808
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\
  2⤵
  - System policy modification
  PID:116
- C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\backup.exe
  "C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\backup.exe" C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\
  2⤵
  PID:4600

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
1⤵
PID:3936
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
  2⤵
  PID:4044
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
    3⤵
    PID:4472

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
1⤵
PID:1984
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
  2⤵
  PID:5068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
    3⤵
    PID:4324

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
1⤵
PID:3448

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Drops file in Program Files directory
PID:3936

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
1⤵
- Modifies visibility of file extensions in Explorer
PID:2864

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
1⤵
PID:1984
- C:\Users\Admin\Documents\OneNote Notebooks\backup.exe
  "C:\Users\Admin\Documents\OneNote Notebooks\backup.exe" C:\Users\Admin\Documents\OneNote Notebooks\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4728
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\
  2⤵
  PID:4632
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\System Restore.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\
    3⤵
    - Drops file in Program Files directory
    PID:2712
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\
      4⤵
      PID:4644
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\
        5⤵
        
        PID:4952
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\
        5⤵
        
        PID:1532
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\System Restore.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\
    3⤵
    PID:4324
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\
      4⤵
      PID:1352
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\
        5⤵
        
        PID:5152
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\
        5⤵
        System policy modification
        
        PID:460
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\
    3⤵
    - System policy modification
    PID:876
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\
      4⤵
      PID:5368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
1⤵
PID:3448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
1⤵
PID:1576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
1⤵
PID:2940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\System Restore.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\System Restore.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
1⤵
PID:1744

C:\Windows\appcompat\appraiser\backup.exe
C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
1⤵
PID:1576
- C:\Windows\appcompat\appraiser\Telemetry\backup.exe
  C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
  2⤵
  PID:3652

C:\Program Files\Java\jdk-1.8\backup.exe
"C:\Program Files\Java\jdk-1.8\backup.exe" C:\Program Files\Java\jdk-1.8\
1⤵
PID:2680
- C:\Program Files\Java\jdk-1.8\bin\backup.exe
  "C:\Program Files\Java\jdk-1.8\bin\backup.exe" C:\Program Files\Java\jdk-1.8\bin\
  2⤵
  PID:4664
- C:\Program Files\Java\jdk-1.8\include\backup.exe
  "C:\Program Files\Java\jdk-1.8\include\backup.exe" C:\Program Files\Java\jdk-1.8\include\
  2⤵
  PID:4008
- - C:\Windows\Branding\shellbrd\backup.exe
    C:\Windows\Branding\shellbrd\backup.exe C:\Windows\Branding\shellbrd\
    3⤵
    - System policy modification
    PID:2064
- - C:\Windows\Branding\Basebrd\backup.exe
    C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
    3⤵
    - Drops file in Windows directory
    PID:4028
- C:\Program Files\Java\jdk-1.8\jre\data.exe
  "C:\Program Files\Java\jdk-1.8\jre\data.exe" C:\Program Files\Java\jdk-1.8\jre\
  2⤵
  PID:4268
- - C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe
    "C:\Program Files\Java\jdk-1.8\jre\bin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4496
  - - C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\
      4⤵
      System policy modification
      PID:2020
  - - C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\bin\server\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\server\
      4⤵
      PID:2028
  - - C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\
      4⤵
      PID:392
- - C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe
    "C:\Program Files\Java\jdk-1.8\jre\legal\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\
    3⤵
    PID:2988
  - - C:\Program Files\Java\jdk-1.8\jre\legal\javafx\System Restore.exe
      "C:\Program Files\Java\jdk-1.8\jre\legal\javafx\System Restore.exe" C:\Program Files\Java\jdk-1.8\jre\legal\javafx\
      4⤵
      PID:536
  - - C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe
      "C:\Program Files\Java\jdk-1.8\jre\legal\jdk\backup.exe" C:\Program Files\Java\jdk-1.8\jre\legal\jdk\
      4⤵
      PID:4900
- - C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe
    "C:\Program Files\Java\jdk-1.8\jre\lib\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\
    3⤵
    - Drops file in Program Files directory
    PID:3044
- C:\Program Files\Java\jdk-1.8\legal\backup.exe
  "C:\Program Files\Java\jdk-1.8\legal\backup.exe" C:\Program Files\Java\jdk-1.8\legal\
  2⤵
  PID:5056
- - C:\Program Files\Java\jdk-1.8\legal\javafx\data.exe
    "C:\Program Files\Java\jdk-1.8\legal\javafx\data.exe" C:\Program Files\Java\jdk-1.8\legal\javafx\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:2348
- - C:\Program Files\Java\jdk-1.8\legal\jdk\data.exe
    "C:\Program Files\Java\jdk-1.8\legal\jdk\data.exe" C:\Program Files\Java\jdk-1.8\legal\jdk\
    3⤵
    PID:884
- C:\Program Files\Java\jdk-1.8\lib\backup.exe
  "C:\Program Files\Java\jdk-1.8\lib\backup.exe" C:\Program Files\Java\jdk-1.8\lib\
  2⤵
  PID:1992

C:\Program Files (x86)\Google\Update\Download\backup.exe
"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
1⤵
PID:3264
- C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
  "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3960
- - C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\System Restore.exe
    "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\System Restore.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
    3⤵
    PID:1348

C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
1⤵
PID:4724
- C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
  "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
  2⤵
  PID:5744
- - C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\0BC38F05-20C0-4D3A-8C7C-72786C413F21\backup.exe
    "C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\0BC38F05-20C0-4D3A-8C7C-72786C413F21\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\0BC38F05-20C0-4D3A-8C7C-72786C413F21\
    3⤵
    PID:5284

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\
1⤵
PID:884
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\update.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1984
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\
    3⤵
    PID:3692
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\
      4⤵
      System policy modification
      PID:1196
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\
        5⤵
        
        PID:1840
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\
        5⤵
        System policy modification
        
        PID:3676
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\
      4⤵
      PID:5276
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\
      4⤵
      PID:636
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\update.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\
        5⤵
        
        PID:5836
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\
      4⤵
      Drops file in Program Files directory
      PID:5996
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:5816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\
    3⤵
    PID:912
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\
      4⤵
      PID:1464
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\
        5⤵
        
        PID:2780
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\
      4⤵
      PID:5756
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\
        5⤵
        
        PID:5828
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\
      4⤵
      Disables RegEdit via registry modification
      PID:3808
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\
      4⤵
      Drops file in Program Files directory
      System policy modification
      PID:4928
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3088
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\
        6⤵
        
        PID:5304
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\
      4⤵
      PID:3624
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\update.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\
      4⤵
      PID:916

C:\Windows\appcompat\encapsulation\update.exe
C:\Windows\appcompat\encapsulation\update.exe C:\Windows\appcompat\encapsulation\
1⤵
PID:820

C:\Windows\appcompat\Programs\backup.exe
C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
1⤵
- Disables RegEdit via registry modification
PID:4340

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
1⤵
PID:5016

C:\Program Files\Java\jdk-1.8\include\win32\data.exe
"C:\Program Files\Java\jdk-1.8\include\win32\data.exe" C:\Program Files\Java\jdk-1.8\include\win32\
1⤵
PID:2092
- C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe
  "C:\Program Files\Java\jdk-1.8\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk-1.8\include\win32\bridge\
  2⤵
  PID:3028

C:\Program Files (x86)\Google\Update\Install\backup.exe
"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
1⤵
PID:844
- C:\Program Files (x86)\Google\Update\Install\{5F218BEF-EA7C-4A5A-8DCD-3014BB946029}\backup.exe
  "C:\Program Files (x86)\Google\Update\Install\{5F218BEF-EA7C-4A5A-8DCD-3014BB946029}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{5F218BEF-EA7C-4A5A-8DCD-3014BB946029}\
  2⤵
  - Disables RegEdit via registry modification
  PID:2260
- C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
  2⤵
  PID:4152
- - C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
    C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
    3⤵
    PID:4324
- C:\Program Files (x86)\Common Files\System\ado\ja-JP\System Restore.exe
  "C:\Program Files (x86)\Common Files\System\ado\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
  2⤵
  PID:5672
- C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
  2⤵
  PID:5836
- C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
  2⤵
  PID:1812
- C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
  2⤵
  PID:5668
- C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
  "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
  2⤵
  - System policy modification
  PID:5212

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\update.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
1⤵
PID:4028
- C:\Windows\Branding\Basebrd\en-US\backup.exe
  C:\Windows\Branding\Basebrd\en-US\backup.exe C:\Windows\Branding\Basebrd\en-US\
  2⤵
  PID:5792
- C:\Windows\Branding\Basebrd\ja-JP\backup.exe
  C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
  2⤵
  PID:5512
- C:\Windows\Branding\Basebrd\it-IT\backup.exe
  C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
  2⤵
  - System policy modification
  PID:5416
- C:\Windows\Branding\Basebrd\fr-FR\backup.exe
  C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
  2⤵
  PID:5632
- C:\Windows\Branding\Basebrd\es-ES\backup.exe
  C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
  2⤵
  PID:1544
- C:\Windows\Branding\Basebrd\de-DE\backup.exe
  C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
  2⤵
  PID:5396

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
1⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:4832
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
  2⤵
  PID:912
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
  2⤵
  PID:2316
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
  2⤵
  PID:4160
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
  2⤵
  - System policy modification
  PID:4744
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:220

C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
1⤵
PID:1448

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
1⤵
PID:760

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3236

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\
  2⤵
  PID:5544
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4160

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\
1⤵
- Drops file in Program Files directory
PID:2704
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\
  2⤵
  PID:6076
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\
  2⤵
  PID:5248
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\
  2⤵
  - System policy modification
  PID:5908
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5480
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\
  2⤵
  PID:780
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\System Restore.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\
  2⤵
  PID:2680
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\data.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\
  2⤵
  - System policy modification
  PID:6132
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\
  2⤵
  PID:2148
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2692
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\
  2⤵
  PID:5160
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\
  2⤵
  - Drops file in Program Files directory
  PID:5432
- - C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\
    3⤵
    PID:3656
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\
  2⤵
  - Disables RegEdit via registry modification
  PID:5600
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\
  2⤵
  PID:6116
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\
  2⤵
  - Disables RegEdit via registry modification
  - System policy modification
  PID:3448
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\
  2⤵
  PID:1992
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\
  2⤵
  PID:3748

C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe
"C:\Program Files\Java\jre-1.8\lib\amd64\backup.exe" C:\Program Files\Java\jre-1.8\lib\amd64\
1⤵
PID:5612

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
1⤵
PID:5848

C:\Program Files\Java\jre-1.8\lib\applet\backup.exe
"C:\Program Files\Java\jre-1.8\lib\applet\backup.exe" C:\Program Files\Java\jre-1.8\lib\applet\
1⤵
PID:6096

C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe
"C:\Program Files\Java\jre-1.8\lib\cmm\backup.exe" C:\Program Files\Java\jre-1.8\lib\cmm\
1⤵
PID:4712

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\
1⤵
- Disables RegEdit via registry modification
PID:5940
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\
  2⤵
  PID:5168

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
1⤵
PID:5792

C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
1⤵
- Disables RegEdit via registry modification
PID:1840

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
1⤵
- System policy modification
PID:5700

C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe
"C:\Program Files\Java\jre-1.8\lib\fonts\backup.exe" C:\Program Files\Java\jre-1.8\lib\fonts\
1⤵
- Disables RegEdit via registry modification
PID:1040

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\
1⤵
PID:5736

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\
1⤵
PID:5344
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\
  2⤵
  PID:5412
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\
    3⤵
    - Drops file in Windows directory
    PID:1908
  - - C:\Windows\apppatch\ja-JP\backup.exe
      C:\Windows\apppatch\ja-JP\backup.exe C:\Windows\apppatch\ja-JP\
      4⤵
      PID:4404
  - - C:\Windows\apppatch\fr-FR\backup.exe
      C:\Windows\apppatch\fr-FR\backup.exe C:\Windows\apppatch\fr-FR\
      4⤵
      PID:5268
  - - C:\Windows\apppatch\es-ES\backup.exe
      C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
      4⤵
      Drops file in Windows directory
      PID:1612
    - - C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:3704
      - C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        6⤵
        
        PID:3676
    - - C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        5⤵
        
        PID:5124
      - C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        6⤵
        
        PID:5884
    - - C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\
        5⤵
        
        PID:1528
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\
    3⤵
    PID:220
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\
    3⤵
    - Drops file in Windows directory
    PID:1576
- C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\
  2⤵
  PID:224
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\
    3⤵
    PID:5272
- - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
    "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\
    3⤵
    PID:2028

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\
1⤵
PID:5432
- C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
  2⤵
  PID:6004
- C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\
  2⤵
  PID:5360
- - C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
    3⤵
    PID:2676
- C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\
  2⤵
  PID:5016

C:\Program Files\Java\jre-1.8\lib\management\backup.exe
"C:\Program Files\Java\jre-1.8\lib\management\backup.exe" C:\Program Files\Java\jre-1.8\lib\management\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:5760

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\data.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\data.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
1⤵
- Disables RegEdit via registry modification
PID:4956

C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe
"C:\Program Files\Java\jre-1.8\lib\security\policy\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\
1⤵
PID:5944
- C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\limited\
  2⤵
  - Disables RegEdit via registry modification
  PID:4344
- C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\
  2⤵
  - Disables RegEdit via registry modification
  PID:644

C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\
1⤵
- Disables RegEdit via registry modification
PID:5444

C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe
"C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\backup.exe" C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\
1⤵
PID:5852
- C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe
  "C:\Program Files\Java\jre-1.8\lib\images\cursors\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\cursors\
  2⤵
  PID:6052

C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
1⤵
PID:1636

C:\Program Files\Java\jre-1.8\lib\security\backup.exe
"C:\Program Files\Java\jre-1.8\lib\security\backup.exe" C:\Program Files\Java\jre-1.8\lib\security\
1⤵
- Modifies visibility of file extensions in Explorer
PID:5968

C:\Program Files\MSBuild\Microsoft\backup.exe
"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
1⤵
- Drops file in Windows directory
PID:4136

C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe
"C:\Program Files\Java\jre-1.8\lib\jfr\backup.exe" C:\Program Files\Java\jre-1.8\lib\jfr\
1⤵
- Disables RegEdit via registry modification
PID:5236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\
1⤵
PID:3256

C:\Program Files (x86)\Reference Assemblies\Microsoft\update.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\update.exe" C:\Program Files (x86)\Reference Assemblies\Microsoft\
1⤵
PID:2468

C:\Program Files\Java\jre-1.8\lib\images\backup.exe
"C:\Program Files\Java\jre-1.8\lib\images\backup.exe" C:\Program Files\Java\jre-1.8\lib\images\
1⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:5852

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
1⤵
PID:5212

C:\Program Files\Java\jre-1.8\lib\ext\backup.exe
"C:\Program Files\Java\jre-1.8\lib\ext\backup.exe" C:\Program Files\Java\jre-1.8\lib\ext\
1⤵
PID:3140
- C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
  "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
  2⤵
  PID:5980
- C:\Program Files\Mozilla Firefox\browser\features\backup.exe
  "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
  2⤵
  PID:5528

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
1⤵
PID:5740

C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe
"C:\Program Files\Java\jre-1.8\lib\deploy\backup.exe" C:\Program Files\Java\jre-1.8\lib\deploy\
1⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
1⤵
PID:5704

C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
1⤵
- Modifies visibility of file extensions in Explorer
PID:5244

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
1⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
1⤵
PID:952

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\
1⤵
PID:5004

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
1⤵
PID:5924

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:5784

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\
1⤵
PID:5200

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Modifies visibility of file extensions in Explorer
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\System Restore.exe

Filesize
16KB

MD5
946ad5783ce459fb17d85f3033bf79bb

SHA1
b34949154a2b07cfdf752336b215507c59ccb634

SHA256
f5976c6b94510a2d22b28a3c78cfcba882d0f1167a301e2bf9548cc341e05d14

SHA512
660b4f825591c7958693f84e27687e4671eb2e8538d8d54c582717190e405cbf76aaf3693355724ff85c4f8e365e97b13837100484242628a232b4a6e294e9ed

Download Submit
C:\Program Files\7-Zip\Lang\System Restore.exe

Filesize
5KB

MD5
4d9de7c55844b002a99063f3a30bcdcb

SHA1
d140cf80ac4c374ce30561ee3f1d531f109cb386

SHA256
e5aaf2564c35e4ba7df74f2e8196b496d32ad40d56b1187dc7bc1ba3326339c5

SHA512
edda0e64c9d27831e0d99c50254181a0cdb7f253dc383f37ff1689338f1ddcd75df8d8009bf22ce40fb92a4d794ce3970c6bf06f3cb1594e59ba42fec7e853d1

Download Submit
C:\Program Files\7-Zip\Lang\System Restore.exe

Filesize
6KB

MD5
a2c965140c47f0ffc1b5ba16286dcaec

SHA1
9794409b32188b1f814d97174a6cb4f832a09ecb

SHA256
2d01695d34ea3aa5aa0e0c404324f4f540579527af81048ab1821b7a071f7988

SHA512
14398ecb139584d36c24aabe056913080c3416b1c9a6f0f32d759529ef41c0066d6cb3e6a326b96bc91a650ab94134c2117052942d577bc857f6f4bdb5e3b92d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
25KB

MD5
5092d7fc5808f762924a38e4643d4695

SHA1
c1c0fabfd90ca048f01b5564c99fa107e5d38e51

SHA256
e41be3458827c18ee39e2cfa0c5473d50a5b9a1f0e2abc1d894c56c19740567f

SHA512
f25705b4615dd62a410f6daf2e227b01c603711084d5234763427e72d86589b6932e6bc9e3451ad00884cd93555182a0914dbfaaa5702512ef5443af297a38ac

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
18KB

MD5
c25aaa9fbb371720b611e08968d02fca

SHA1
f9fd27fc144cc5fe5789238359a2b5fdf2c13d12

SHA256
6adeb133a22c55d264c691fb5839c32566bfdcfb78853995e190611634b36d9c

SHA512
3be946f3c64b7ea96be0c870571879ee189dd24b5d83fd70c92403a1f5497640f0d703550800171ff9594e68ea6336c98ffba992c1878b7bd91c6487722e7807

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
47KB

MD5
377eeb87e914865946ad1735dfa97392

SHA1
437e2a407c930ceb4a2060f4cb3dc678ee2dcb71

SHA256
6bd5f09f673ea482dc73da37ad3be13d80f4c606b85adbe44e87826d74cd0f3a

SHA512
0c89baf9f385c16b228035d29bab8913d271365d5dea04a4778779fd2fc21ef777e2ea4e9d8875e6caafa87a88a00c33d94543664ffd121b11f17411efe079cf

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
b2d9a7b4b6fd02a776afe1e43914e21c

SHA1
7327a7917326de51ba1b1e5a75c92bb7b0a68a71

SHA256
ce8d6508241cf11c6c25cace62f113a2511151f8a3516f4a62e0db95ed7b58a8

SHA512
cf53247c2682e225cbccd920f3b630d25e83400d6e7dffce53c6f2190b89aefa9b115c45d85565b0ffb0b7bb5c1f7bc5dabce264b8b3ae412060486bd36f8f79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
39KB

MD5
aac0675d08cdd4139952c3e39a2bec9f

SHA1
e632d41972624131dc649897c0efff626b2c1c10

SHA256
3d6b6206dd3011d7bcb407a0bdacbdba664c53948a34e6a94cb4d6b4b3212b77

SHA512
872fd6ed6a18c9e79e124a66ec953df01a335760e7a0d6657c50cde05fc935d1215e63ddfb0ff90b4ea67bbecf8fedfe09c94841669d2eb575c20b6107fea231

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
60KB

MD5
bbae28713d8ee65bacda69f2ec289022

SHA1
d7347bebbbdd71617bbf75d9306d916adab1d924

SHA256
5d83853e3c4163fc42fc684d4f0cb09b6bfb468070d5253b4377972f9aad4edd

SHA512
a6e9796783e0c99f5a32f7263037cf779e266b269c4b4fea13862dabe98ed1ec6baf997643a9e2b58fc3ca753f7ba9f6abfd5bbc43e2b98c3547536c93b5f256

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
c1d391a713fa38a65aab9593863f27b8

SHA1
93f057a6ff507974929d47fd160cf0f5b808b292

SHA256
0fb8eded9a6eda8753347153124d30bc72b43feaaa88289daf82beec0a669e66

SHA512
5ebada0a2f56231a47f8d62cbc5b6d62c6bf3521daa2469c90ce1553270e8817ccd43dcf9ea3c529faa4242831b4ea2968456d10b029510c7bef8e7e06d6cf72

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
d7a4f6128d7056797a25b7718a3f2c16

SHA1
1dc28c04d300daf08995b0cb02fab4ac80f0a63b

SHA256
756bb1736e91af47a7152061410a48eb125b0905bcbbb882a2197341598653bd

SHA512
376aeb12c34836a2a578b9a1b20f1112790ac646229977174fe1ac2f16442d6084200b40bceb7f5b8ebb4ec12fcd8b76596c33debff5662796ff3572ed10461a

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
fb456cb066318e36390fef8b82eb884a

SHA1
5b1d73f3f8e6d75414f80e3a7bab9a79f878da51

SHA256
e6b2efeebeebf4c66f6edb37fee1a312b90cdd30d712cb28b1a82d5629d0ecc0

SHA512
c7eb164ec91ca1a99f55eb6de71b50cf8b320900752149842c227abe1d63083502ba74248a74a7aacb9061156625a5797e918ebca5cccd90412ae74a11ff9ffd

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
41KB

MD5
f39d8d2eab5a3400957f13c39660af79

SHA1
e9b2517ef89c592c45652eea1ab94715be85373f

SHA256
c2110cf1af4e586b43dda138f336f7d3cdd522dd41d635759560bae9640c7198

SHA512
591ffbb8e167dd455bac4f8880244f3ca2fa4fcf0ccb2ff5478a0e983d4cd83cfb9e628c3cda6a14c84164ce0b4d0ba898407af1bbb33bbb8c7c0924d44a27b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

Filesize
56KB

MD5
113e046ded9d3e7c9843e1b8c41d8064

SHA1
2a6575df3e82a0e20553c9d905e64a4710e381cb

SHA256
4c6bfffba38af30cffe46efdde41ca41264f9cde6cffec5515011224261b9ae3

SHA512
b139c5d6498011eefa8db3544e388527fafc4c1ad6c87f97421bd4c1b3c6d00caab8ec01c4ce7fdcfd7170f721ce619bc3813c014ca2f50379e9053be4515440

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

Filesize
50KB

MD5
02ad5891e9a76e667448f240291de265

SHA1
17e3e6a69ae2ad1ebae4f1499e506a8d78aa6bd7

SHA256
ff92409ee2af821de479d5c8053ad8a9e9b47669a82cf9a8fe6a4e2543e0bdbc

SHA512
71e8739822d3d3924d40652df0418499a108e1b1a42eda51356ac349df2051d80b444c36f3c9a53d53312b6c3647799c7b21724580d66be4003932bc60143934

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
49KB

MD5
326f0890c0ac1fe222f93371d9f552be

SHA1
62c90cad5ed42cb58966c7a3d97e721a73b80f58

SHA256
274b4f25b219ca5fe30c411e056dc0dee466721d099eab43849b468f9fc4d7e3

SHA512
8f1ed1b61548daeb9cb143067d1603cfc0a25c94e8d3761349eaf5b0ccd997eb757ef390ed35453eb1e1e1a9a18629571d190aaa553518fd4864c0db58cc65c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\update.exe

Filesize
35KB

MD5
964328b3f67d71b7d42e34f3e6dc6c5a

SHA1
bee8dbd28b9187cace0f7c279cc3771cdaceca90

SHA256
c2fc4fc097639141e65cd4b416d1c74f9b2f406cf446bd5d1e569f50cd8601c6

SHA512
7918d4799ed114e6fab5bfd01828c626fa30ff2d8354abe71464bc4dfbe6dbe8ac642c4f4f021fd74b2f5e02c1d06218b10502c9e11ebe98a02f731e56f4bf45

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
44KB

MD5
2421930f9d822e09d4646f2ea8d11cec

SHA1
2d53e25fe05ba35a402292daaf4e9b1f8114b9a2

SHA256
fd0e28ca411bb8ac0b7d7ed9daeb7da2b8e0f82c6db091866146a14cb013b413

SHA512
1a4914bf24ad7efdb079920e2b4174013f435ce72ccbfc382db88ac1936dff9d358ba93231206da709880f6d06fde91c64c6fc0d42bd5fb02dd5ed42c2693443

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
27KB

MD5
e288bb71641be826981fe4c61f38bf47

SHA1
3d4a0b3022a8e5062ee721c4134f8ce52442530a

SHA256
c38c1054f82ccb4aa00c16501406aed1766edc81fa370dfa988e9d5c1d088020

SHA512
68d3ae5dfa494b0a38f62239a9cd37bc4a7541a4167496dd5ae4585a64a33fef31cd153d54e811eb3486208b0e9050863111c2fb9570bbe035e8b2a7c19f3687

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
22KB

MD5
a10d62e5d476906393c81ed861f58b1f

SHA1
5673360fd93cffc8ba1f8551c5571417ba9bda2f

SHA256
ffe19f77086e045e5eb26afdc3304f9400fc740ec7cc69bf1633924a7d10e4c4

SHA512
ac0edd1a97abea06f0114bfd6833dca0f2e3472c70b0e184c84df8f98fa3c1f67d1d26c751d929dab3b769b17d20747dd2c0a5bea95f1a7fefef14cc4b2d54f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
27KB

MD5
95c59710bdced876e879b9250c63b635

SHA1
32d3d0f52e65ceba245b9abdbdb0993029699842

SHA256
ec871e3002e7f225969a011a4827b99cfc7dde73be7a3112d8fb6883156d7756

SHA512
809f4572ac57706b27af493726950a1a41c5a12a6141952738d5b5e6f127aa7a3fc4d3f47b01206ece45ed9da73dd0dc825ebe4810c6b5a59737bf62e741ac78

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\update.exe

Filesize
72KB

MD5
24d2eff2542d9de9285f93058f46ac26

SHA1
93bae0e2aee9e57665824aaf92d9939eaee07e14

SHA256
a45b80494b188049e9cf5efb4ef52197685ed891aa4ee187768fbc27116333a8

SHA512
19af4f69b3cec50c508dec0d0a7c9292ac2c8c5cd11cba3eb2eb6548cb6056202abffc5ecbaa2c52c982259143977036d3a93d7f64bd54d98be8df35970e4723

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\update.exe

Filesize
33KB

MD5
94c34fe6c944e81a419bf1e6fad33d32

SHA1
10b17940169df1efaa87c0d423bf7b6e0cf06e57

SHA256
c4146568cf0fd3290beaddba18379cc56a0a00aeef7cac851e865ce29ce5054f

SHA512
d61ba4a94b608637f015fdca5b7812abc429c39d8e1a0e909621ef865dcec7f8ec8f7c6f23c5639db98d0afa855e5e07b899138c22f47b00ea2bff0ecec869e8

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
8e0c0abb1ecc1be9c1e2241c747001fe

SHA1
1b34ed1faae8767bd38f0b46ac3e0776b67be472

SHA256
c08ae39626cd4cad9a95ff94b37801866a32b7152ad9d6a6168deaecb693c27d

SHA512
1bc09010f51c64b2d7845f4bf7735aec36e0f5031413bd5942be722e075554b37d793218162ab9fc8b60821cc056a9f4b38105eb0093fe7f274a134bc06d011e

Download Submit
C:\Program Files\backup.exe

Filesize
26KB

MD5
15942117441e2419b89fc00f35aa22a0

SHA1
1869a9e840825315cf7e59f0e621c1c799fe58fd

SHA256
ea6aeb5d29344577bc4698d34ee98b0bb94ec1ac0be10e6397c631e6b2247b18

SHA512
3dff0438007a4f4e83a529a63d7d46049808bd81524dd0f4371ab322290de22d7e215433178492d203c4286631812c2d0fa4578947dea4118eb7c85a2a987ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2219311483\backup.exe

Filesize
20KB

MD5
ac0735b022a3d7bde03d3d7c9777b686

SHA1
74d6e87953221ec9ac74d70987b87691b5693eed

SHA256
5384a1049624c55df447cdef68ab9104401629d8c8e370c44de45781a6c9994b

SHA512
20e9534a591f8f9902b0701748532148af79810c8c068be7e5dde4b56be817f09505b1d9cf0f04f020bdbdc7e4110a34b9c1d28450d95fb76afefd3abd4402d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2219311483\backup.exe

Filesize
3KB

MD5
4ca151b7a7d309d0aa52cd7278a7f993

SHA1
766159d0234f3bcd0e593d3bdc5ec9e772a275bd

SHA256
fff2f47037bd8e3847e6d75762c83afe9da0d908794b73cd3b19e947ca4af2d5

SHA512
98f7cc12b601d3eaf6938ba9f832323fe83245b392806dae8d8c62bff5e61d2831db0a743ea0364792ae64545e171886b277633a7fecc571504535c3939891ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
57KB

MD5
dda51f8351825bf8206fdaeda3492499

SHA1
a45f2dcbe7c693c41e0e8da3531375cf3f8c34bf

SHA256
9ff0beeccd0c26c36a7cf88b9fb43941c2c1b7422d7d84cbe33631bbc9912173

SHA512
ca2c8a35fa3c5dbc6607edb0c88ce65c0b4cb4091b0b68dbba32b80e61601bebea0a5ef7af927feb9d9f7d2a8669aafae45cac19514fb43cbe0472d0dffb04a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
68KB

MD5
61152ada5bc48b14c6f75daaca0768b9

SHA1
c49401055b93eebb3393b3393b95955c06a028ce

SHA256
bb4a43e82d21a766e0d688fffa8a897bdacf482d67ea9c9336b349cbfbeae313

SHA512
e4856c8c23d1ead5e6a87130d6fed2d9c30a48070e67bf24b963fa40805e7d8dda983d064de1f7a7baf1bfb5f374e9c6312481e3d68c5ae452bf645f275ddcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
51KB

MD5
0cf549feb1083e553a7663d1d83afbc5

SHA1
da233cf77dd4035173f2c43657abcffa8a843d89

SHA256
eda2134ba852d3612fdf52bd9f638ccb8ea8e1a96551725023de79b7ea3c17b9

SHA512
75311246347d2525e34638dbff20165eaca4d0b3e041e48e5a385a1945d120d812ecbfd9e18c6f51c469f91bac7223f592e31ef2f42c5836ade854fa4f2e1de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
72KB

MD5
d036711cf6ef66754717a789c1447c0f

SHA1
46ac07e6308500c041ceec852b1c68c41e226b16

SHA256
f337cf9239841b5aa3a6fb22ad2e989f257decf66233ea0b367eafa0ede32315

SHA512
6cf576513068f7a35f7300ef10f21fe52d10289b224fd706a247f6b22eb73602e02a3e335081347790f6e40ff912d9107bc94cd5238425e9750379b547f60a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\backup.exe

Filesize
26KB

MD5
e494d27f4ba153552b8ba4a6e49fcba3

SHA1
a936432f3c560012499af0d96b0b9fe61f694f63

SHA256
a29ee310f82a2d6ba96ce3989822009f40d0305f327051d2a858646e99161a10

SHA512
8ce877659e76f42f9661c9e30af34e4ffedf9a1548e511c35d47f1ff57c3151d0460e5df74bfe02bc257c3d3da4cd52a0d7a8d2a66d5e10f0c939374ecbda89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
20KB

MD5
22d8da8fea6435ce26064203dbfba2f2

SHA1
cbb9b1af89ebf15c8a6e56c8076c031a43d3ed14

SHA256
69ec3b96b9f249fb1486651aec523f90e886a952e4bcdd3ba383076a0f241aa6

SHA512
102114f926bae0b9150305ee6102dc1abc580daa16f81187db82d3f56b5a66f913e070f5059c0043fae6e60fb9f79ab051bfb04111c70cce2aa057cf2ed25e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\backup.exe

Filesize
27KB

MD5
cfb0d6a6e34db60458d5c2a068bd48ca

SHA1
88e4ffbcdfe2da649e7f40fcf0514321e6f53297

SHA256
3f3a83aa32f3b20dc84cf5cfcea6640611798ad7c343051fbbdfb14ce7313b5e

SHA512
c10287f964472c92418167ff194ef1d576327b43084c73d26335d8617b30ac99fda43120f5dccec0cb4aba544108884a3adeffd9df655be10b07fe72c13b1fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
56KB

MD5
b9c76cf7e436e1d7bfccf751a20758ae

SHA1
2bcabdbd55a42dac51ed95eb409e3b479212314e

SHA256
7e4ea25568b47b310f3f047646b455cdf225f037d033eded9b1f6116604a0248

SHA512
2d03718cff987188918fe545a934335a12d7a7156db6b07f852b535ff9e443da60839f96aa5b9ced4e7216b5c3551a822e6fc595c22727fbdce5f5ce80910242

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\backup.exe

Filesize
43KB

MD5
c5e1af9abbb47bf2fcb5ece12ec5afa8

SHA1
2586bb3516466c1371656ef4e9c82e114a3ab41f

SHA256
ba3e10288c4f80e0a7f923d6332622c0d8df5ad3426e5c4e135192c5396601b6

SHA512
7f86038eab1dbf22a445d716bd1ec536cfb1bd5750881084f371786e4637f3883b923e5d2fbc899292cefa30320bf4d1f882cf09186de40ec89e118d9507b99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
49KB

MD5
83d0a2ff044eb90540548de91f45933a

SHA1
e1059d87b937c1e2cdd46b371dac7b9394b59e46

SHA256
cfbc7814c8ecb064e9702484e3e60ffed367873d037c59bc94efc5c27ad54b35

SHA512
a4c421759ce384539661724dd73ef4dbd72935a5ad1f591fd4b6d5c49e3ba572bb32e94bcf1f4a854dfdc95a180295fc206e3ab1097b24bcc85bc6ec08bf6d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
57KB

MD5
730886fe42017a460a4cc4c2dc684e67

SHA1
5cb17cc42b1f9255d627ef7c3aae350493ff0c38

SHA256
b3bf717018f6e3467d3f2ab80c64692b531e15b90c316cccb9718baee2863ceb

SHA512
cbbbc96c9f28c6ebd6026beac9f7c8cc0ae900f7fff9238831f03179275ff87c38a31907ab804c3955e771c1dbf7d74469ca3075009bc12b4d1520aed01ab897

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
57KB

MD5
2cdaca36e98b387b7a672f528a93ca08

SHA1
3d5b18253125ac80f654c67d282b6031eb19bf29

SHA256
253e8a2233d17d0961095316effc7028ebeda7cf342a6459d76597b0caf0506d

SHA512
3009a4eb09b376cd545e18bbbd36881c4b4d73cd24af5cfac00c9012b61f3930bbb4588199d3fadfc865c5991612b045d487eb366fa44736a94dc5fac9246890

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
50KB

MD5
45c40b36ccb1f29278c6f5a6f4d130e1

SHA1
48bbbfdfe542e0a55b52561d7e41a5087535fab3

SHA256
d6bdf51126b13aaeaf8332f2c18a85a7df1a69bfec1966757428f3620d614c1f

SHA512
0fed0278af698bc34f35ba70a2afe08e58ddf2d20a126a7a3e0eedb80637412ae9068ac9f8c451810e21fd33d33e34fffb9a57252bc79c537f4c20325dc628c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
14KB

MD5
c33cd23cbee38ecf4f6379bc0593559f

SHA1
945916c04cb11aece5ba28441a3a269d1e83a89d

SHA256
e252e5e4e91137619f3f78357aae26098a3c922e43bec77762efebe353dbc73d

SHA512
15860eebf1076ee94e0ac1ab00b9058a2215ab67acaf3fd16a2e087a29bcb022ce36ba125fa49e4aa16eb386329816f635b3049fab9be0ff3f090b3b8fb18e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
c2e68a22773c0c08533a193ceec16ba5

SHA1
f44ac847a2366e293c308ceac643b74a1eeb4af4

SHA256
03c7d000bdd6fadd744c5e0fe70c498de73a55538a66e5d8e46bd4d718427366

SHA512
d18ac2deb5b030bcdd777a5deb6f5c19108f3b4e0a00185c42ecaa0a27891c2105f49286ef24d250bd36ee47f0633189361b2b2c0718c82efcc0e54623742341

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11BBD838-5A68-43A7-A04D-E0D75B51D1D1}\backup.exe

Filesize
38KB

MD5
d4afed82d9ec04a807cd47dbbdb1cfed

SHA1
019eae690b39f82e8b0af8d7154aa19f29891b4b

SHA256
00cee80500a01105128f1975df29f7c36e6fab67f846668937c3ce3f2f54b058

SHA512
789eeee419a16231e628164d68f8238ed9bd345d3727e1de2d8a80614df4ca4ef2b32f0c2f7c92bd6b2268eb7c05bb33b77c0da0f3eaca12ad2e7eebe0bd8343

Download Submit
C:\Users\Admin\AppData\Local\Temp\{11BBD838-5A68-43A7-A04D-E0D75B51D1D1}\backup.exe

Filesize
22KB

MD5
a8b62ff2fc1e93a0c9698c9d669641d6

SHA1
0729deed6230feddc91068c747eadf809c00a0af

SHA256
aaabb17effd6baf4c0ea03162f8d710f78e80d1b5e41760b51a2ad112c33d3db

SHA512
d179c18761c3781d9a53be504e6218310d9da63b2cc6a08d07da9be10fe2569891c6f6d5e071913ea44238f307b71cfd86b25b1fa033c618d64053afada5c1d2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0beb91b8f08d667c7316ca734288873b

SHA1
acbd40a3138b0fa5084780b0e3923cd619bc1f03

SHA256
1f392b325abaa2746cd7ce60306f8057511356c1dcd535aaa600b0db5e55d9bf

SHA512
7e22909837a9ca0a2c799f8fb58b0e468580a22a0b2f006f9795cf82b359761440246c1dcb980810c12692227a37890c05c12373a0d8979659bad764c057ebd3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads