271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537

Analysis

max time kernel
38s
max time network
54s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
Size

72KB
MD5

0543d64cad468025cc91ae1854b1a968
SHA1

6b54b956ff00707b00628b632459f7ca4e82d073
SHA256

271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537
SHA512

7263db2602c39c35c8c16de8b2367a9826752371511b6e53c6c78b95dda87048e275d6accc3bbbefe69357c7161344c50f116c6f172ddc07a0610d7de2afd9b1
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf23:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrL

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1704	backup.exe
1532	backup.exe
1316	backup.exe
680	backup.exe
1056	backup.exe
1092	backup.exe
360	backup.exe
772	backup.exe
1668	backup.exe
1216	backup.exe
2032	backup.exe
1556	data.exe
1960	backup.exe
1284	backup.exe
1680	backup.exe
944	backup.exe
2036	backup.exe
1128	backup.exe
1244	backup.exe
1008	backup.exe
584	backup.exe
1152	backup.exe
436	backup.exe
1312	backup.exe
1800	backup.exe
1948	backup.exe
360	backup.exe
1604	backup.exe
1780	backup.exe
1116	backup.exe
972	backup.exe
1912	backup.exe
1216	System Restore.exe
1968	backup.exe
1676	backup.exe
1728	backup.exe
368	backup.exe
1656	backup.exe
1556	backup.exe
1584	backup.exe
956	backup.exe
1748	backup.exe
1324	backup.exe
1736	backup.exe
1120	data.exe
1156	backup.exe
1180	backup.exe
1412	backup.exe
1468	backup.exe
584	backup.exe
524	backup.exe
1048	backup.exe
1056	backup.exe
1496	backup.exe
1160	backup.exe
1168	backup.exe
1952	backup.exe
1604	backup.exe
1684	backup.exe
1916	backup.exe
972	backup.exe
2008	backup.exe
1716	backup.exe
296	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
772	backup.exe
772	backup.exe
1668	backup.exe
1668	backup.exe
772	backup.exe
772	backup.exe
2032	backup.exe
2032	backup.exe
1556	data.exe
1556	data.exe
2032	backup.exe
2032	backup.exe
1284	backup.exe
1284	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
1680	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
2036	backup.exe
1780	backup.exe
1780	backup.exe
1780	backup.exe
1780	backup.exe
1780	backup.exe
1780	backup.exe
1780	backup.exe
1780	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	data.exe
File opened for modification	C:\Program Files\7-Zip\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
1704	backup.exe
1532	backup.exe
1316	backup.exe
680	backup.exe
1056	backup.exe
1092	backup.exe
360	backup.exe
772	backup.exe
1668	backup.exe
1216	backup.exe
2032	backup.exe
1556	data.exe
1960	backup.exe
1284	backup.exe
1680	backup.exe
944	backup.exe
2036	backup.exe
1128	backup.exe
1244	backup.exe
1008	backup.exe
584	backup.exe
1152	backup.exe
436	backup.exe
1312	backup.exe
1800	backup.exe
1948	backup.exe
360	backup.exe
1604	backup.exe
1780	backup.exe
1116	backup.exe
972	backup.exe
1912	backup.exe
1216	System Restore.exe
1968	backup.exe
1676	backup.exe
1728	backup.exe
368	backup.exe
1656	backup.exe
1556	backup.exe
1584	backup.exe
956	backup.exe
1748	backup.exe
1324	backup.exe
1120	data.exe
1156	backup.exe
1180	backup.exe
1412	backup.exe
1468	backup.exe
584	backup.exe
524	backup.exe
1048	backup.exe
1056	backup.exe
1496	backup.exe
1160	backup.exe
1168	backup.exe
1952	backup.exe
1604	backup.exe
1684	backup.exe
1916	backup.exe
972	backup.exe
2008	backup.exe
1716	backup.exe
296	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1704	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	27
PID 816 wrote to memory of 1704	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	27
PID 816 wrote to memory of 1704	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	27
PID 816 wrote to memory of 1704	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	27
PID 816 wrote to memory of 1532	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	28
PID 816 wrote to memory of 1532	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	28
PID 816 wrote to memory of 1532	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	28
PID 816 wrote to memory of 1532	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	28
PID 816 wrote to memory of 1316	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	29
PID 816 wrote to memory of 1316	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	29
PID 816 wrote to memory of 1316	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	29
PID 816 wrote to memory of 1316	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	29
PID 816 wrote to memory of 680	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	30
PID 816 wrote to memory of 680	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	30
PID 816 wrote to memory of 680	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	30
PID 816 wrote to memory of 680	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	30
PID 816 wrote to memory of 1056	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	31
PID 816 wrote to memory of 1056	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	31
PID 816 wrote to memory of 1056	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	31
PID 816 wrote to memory of 1056	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	31
PID 816 wrote to memory of 1092	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	32
PID 816 wrote to memory of 1092	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	32
PID 816 wrote to memory of 1092	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	32
PID 816 wrote to memory of 1092	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	32
PID 816 wrote to memory of 360	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	33
PID 816 wrote to memory of 360	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	33
PID 816 wrote to memory of 360	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	33
PID 816 wrote to memory of 360	816	271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe	33
PID 1704 wrote to memory of 772	1704	backup.exe	34
PID 1704 wrote to memory of 772	1704	backup.exe	34
PID 1704 wrote to memory of 772	1704	backup.exe	34
PID 1704 wrote to memory of 772	1704	backup.exe	34
PID 772 wrote to memory of 1668	772	backup.exe	35
PID 772 wrote to memory of 1668	772	backup.exe	35
PID 772 wrote to memory of 1668	772	backup.exe	35
PID 772 wrote to memory of 1668	772	backup.exe	35
PID 1668 wrote to memory of 1216	1668	backup.exe	36
PID 1668 wrote to memory of 1216	1668	backup.exe	36
PID 1668 wrote to memory of 1216	1668	backup.exe	36
PID 1668 wrote to memory of 1216	1668	backup.exe	36
PID 772 wrote to memory of 2032	772	backup.exe	37
PID 772 wrote to memory of 2032	772	backup.exe	37
PID 772 wrote to memory of 2032	772	backup.exe	37
PID 772 wrote to memory of 2032	772	backup.exe	37
PID 2032 wrote to memory of 1556	2032	backup.exe	38
PID 2032 wrote to memory of 1556	2032	backup.exe	38
PID 2032 wrote to memory of 1556	2032	backup.exe	38
PID 2032 wrote to memory of 1556	2032	backup.exe	38
PID 1556 wrote to memory of 1960	1556	data.exe	39
PID 1556 wrote to memory of 1960	1556	data.exe	39
PID 1556 wrote to memory of 1960	1556	data.exe	39
PID 1556 wrote to memory of 1960	1556	data.exe	39
PID 2032 wrote to memory of 1284	2032	backup.exe	40
PID 2032 wrote to memory of 1284	2032	backup.exe	40
PID 2032 wrote to memory of 1284	2032	backup.exe	40
PID 2032 wrote to memory of 1284	2032	backup.exe	40
PID 1284 wrote to memory of 1680	1284	backup.exe	41
PID 1284 wrote to memory of 1680	1284	backup.exe	41
PID 1284 wrote to memory of 1680	1284	backup.exe	41
PID 1284 wrote to memory of 1680	1284	backup.exe	41
PID 1680 wrote to memory of 944	1680	backup.exe	42
PID 1680 wrote to memory of 944	1680	backup.exe	42
PID 1680 wrote to memory of 944	1680	backup.exe	42
PID 1680 wrote to memory of 944	1680	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe
"C:\Users\Admin\AppData\Local\Temp\271e5ea49959c2c293dc360d6e2678ed8a13eff873ee8e7abb7b281e2c561537.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\532916106\backup.exe
  C:\Users\Admin\AppData\Local\Temp\532916106\backup.exe C:\Users\Admin\AppData\Local\Temp\532916106\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:772
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1216
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Program Files\7-Zip\data.exe
        
        "C:\Program Files\7-Zip\data.exe" C:\Program Files\7-Zip\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1960
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1412
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Disables RegEdit via registry modification
        
        PID:604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        System policy modification
        
        PID:1092
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:1168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:748
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1628
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:924
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1116
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:472
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1180
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:832
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1812
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1188
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1048
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1812
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1312
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2020
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1740
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1048
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1420
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:784
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:1344
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Drops file in Program Files directory
        
        PID:1556
      - C:\Program Files\Common Files\System\data.exe
        
        "C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:1472
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1012
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1952
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1812
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Disables RegEdit via registry modification
        
        PID:948
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:296
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:984
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:1628
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1800
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1924
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:748
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1100
        
        C:\Program Files\Common Files\System\msadc\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\System Restore.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:1576
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:556
        
        C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1896
        
        C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:584
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:1732
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1420
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:632
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:684
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1572
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:784
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:980
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1712
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:924
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1924
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1604
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1980
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1076
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:320
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1412
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1740
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1148
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1368
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:1096
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:1632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Disables RegEdit via registry modification
        
        PID:360
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1012
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1896
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1324
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1972
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1800
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1676
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        Drops file in Program Files directory
        
        PID:1900
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1500
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1952
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1412
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:1216
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:1556
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:1924
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:472
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:680
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:1972
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1968
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:324
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1824
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1076
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:904
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1020
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1580
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1952
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:2044
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1580
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1180
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1908
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:1168
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1472
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1556
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1188
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1812
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1780
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1672
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:532
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:320
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1460
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1156
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1160
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1012
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1676
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:1572
        
        C:\Program Files\Java\jdk1.7.0_80\db\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:1576
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1812
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        
        PID:572
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:1076
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\update.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        8⤵
        
        PID:972
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        9⤵
        
        PID:1552
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:1132
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        8⤵
        
        PID:1736
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        9⤵
        
        PID:1468
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        9⤵
        
        PID:1832
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        9⤵
        
        PID:1800
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        8⤵
        
        PID:1416
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        9⤵
        
        PID:1572
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        9⤵
        
        PID:584
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        9⤵
        
        PID:1976
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        9⤵
        
        PID:1128
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        9⤵
        
        PID:1728
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        9⤵
        
        PID:840
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        9⤵
        
        PID:1152
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        9⤵
        
        PID:812
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        7⤵
        
        PID:608
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1696
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        
        PID:1180
        
        C:\Program Files\Java\jre7\bin\dtplugin\data.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\data.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        8⤵
        System policy modification
        
        PID:1100
        
        C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        8⤵
        
        PID:1484
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        8⤵
        
        PID:1812
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:568
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1632
      - C:\Program Files\Microsoft Games\Chess\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Chess\System Restore.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1916
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:1964
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1968
        
        C:\Program Files\Microsoft Games\Chess\es-ES\update.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\update.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:1244
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:860
        
        C:\Program Files\Microsoft Games\Chess\it-IT\data.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\data.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:2024
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        
        PID:2172
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:1940
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:1008
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        Drops file in Program Files directory
        
        PID:1908
      - C:\Program Files\Microsoft Games\Minesweeper\data.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\data.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:1960
      - C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        
        PID:2180
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2044
    - - C:\Program Files\Mozilla Firefox\System Restore.exe
        
        "C:\Program Files\Mozilla Firefox\System Restore.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:532
    - - C:\Program Files\MSBuild\update.exe
        
        "C:\Program Files\MSBuild\update.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1556
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1460
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2104
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:524
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1496
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:532
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1312
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:1960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        Drops file in Program Files directory
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1472
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1732
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Drops file in Program Files directory
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:1656
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:1412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1496
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        System policy modification
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:1580
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1964
    - - C:\Program Files (x86)\Common Files\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System Restore.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1928
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:1152
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:320
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:864
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2012
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1368
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1532
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:944
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1420
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:1404
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1904
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:1812
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:1960
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        
        PID:1412
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:2044
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:1344
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:1900
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        
        PID:1160
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:924
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:952
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        
        PID:680
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        
        PID:1472
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:1916
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        
        PID:1188
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        
        PID:572
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        
        PID:320
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        System policy modification
        
        PID:1896
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        
        PID:1708
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        
        PID:360
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        
        PID:1312
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        8⤵
        
        PID:924
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        8⤵
        
        PID:1420
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:1344
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:1472
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:1132
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        
        PID:1092
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:828
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        
        PID:2004
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1956
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1980
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:684
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:748
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:532
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:948
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1980
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        Drops file in Program Files directory
        
        PID:1908
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:1412
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:1020
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:984
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:2164
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1716
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:608
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1732
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1532
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1020
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1524
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:1536
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1668
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        
        PID:1780
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:1100
        
        C:\Program Files (x86)\Google\Update\Install\{5FF82FCB-66EC-4D84-9E60-60D03C1CDEBC}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{5FF82FCB-66EC-4D84-9E60-60D03C1CDEBC}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{5FF82FCB-66EC-4D84-9E60-60D03C1CDEBC}\
        8⤵
        
        PID:324
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1924
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1732
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:1312
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1552
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:532
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1672
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1556
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1460
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1932
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:956
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
        8⤵
        
        PID:472
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
        8⤵
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
        9⤵
        
        PID:1968
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1956
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1648
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:288
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1624
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\System Restore.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:556
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2064
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:288
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Disables RegEdit via registry modification
        
        PID:964
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:840
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1180
      - C:\Users\Admin\Documents\System Restore.exe
        
        "C:\Users\Admin\Documents\System Restore.exe" C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1012
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:296
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1736
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:944
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1048
      - C:\Users\Admin\Pictures\System Restore.exe
        
        "C:\Users\Admin\Pictures\System Restore.exe" C:\Users\Admin\Pictures\
        6⤵
        
        PID:2020
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:320
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:860
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1244
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:984
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:600
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:924
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:584
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:2036
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1472
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:1916
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1368
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        
        PID:600
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1736
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        7⤵
        
        PID:1604
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1284
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1736
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:436
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2020
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:1832
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:1720
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:1532
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:1892
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1920
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:584
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:1008
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        
        PID:1624
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        
        PID:1892
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1524
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:604
        
        C:\Windows\assembly\GAC\ADODB\update.exe
        
        C:\Windows\assembly\GAC\ADODB\update.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:1532
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1096
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:1648
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1412
        
        C:\Windows\assembly\GAC\Microsoft.Ink\data.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\data.exe C:\Windows\assembly\GAC\Microsoft.Ink\
        7⤵
        
        PID:1244
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
        8⤵
        
        PID:980
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
        8⤵
        
        PID:1616
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:1936
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:472
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:1736
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:2008
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        
        PID:748
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        
        PID:1744
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:1404
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:1672
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:324
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:2052
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1168
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1544
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1980
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:1560
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:1492
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1316
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:680
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1092
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
343c986529b7ae0e0de15a56a7bf3ee9

SHA1
cd01d54d68d38b2262be8ade484f0955c7d657c9

SHA256
6a50c7199c2ed8df89e7cb911a40cd34ba84c43ae1e817c877e73cf6eb30ec8f

SHA512
33fa0397f48d21e7d8d33c7001dc84bf48228f9badabf41c633443e92ec3cb37fd7e82aa26fe4104a8aa42d41e0fcf4a8d7eb03ece0206abbccc55f09c94896e

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f0990c4c06dd42e7f6b266dc3a994dce

SHA1
be236ae9bf298972d6cd93f4ceffe556e750bdcc

SHA256
468af3c4600744a1b07284c719fe44825af59ce3436d0ed986d91d4c34b6c5dd

SHA512
a8323b25e15e8224e411a11319297c77c26d18041a623280736981c768458fb69f7a7c44d25e924626c73c8f5b88211fbd0212dca58b487960264d0e3733a1ea

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
916ba0dda549c861bb1f5f48c064fe6d

SHA1
d4580706845a671b6a6326337b1688078a495c2b

SHA256
ec7e04375979ea5d89f9139e30563fde6ceaaf8919b79bc12e551fe5682075fb

SHA512
d947235b39e8ea5b6c19dad12dc38209bfc3f73136b06478b81ec40477950eb21ed0e51107a0288265118568e6daa253420cc4af2febcab5a17abd13b3e70c55

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
f0990c4c06dd42e7f6b266dc3a994dce

SHA1
be236ae9bf298972d6cd93f4ceffe556e750bdcc

SHA256
468af3c4600744a1b07284c719fe44825af59ce3436d0ed986d91d4c34b6c5dd

SHA512
a8323b25e15e8224e411a11319297c77c26d18041a623280736981c768458fb69f7a7c44d25e924626c73c8f5b88211fbd0212dca58b487960264d0e3733a1ea

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
f0990c4c06dd42e7f6b266dc3a994dce

SHA1
be236ae9bf298972d6cd93f4ceffe556e750bdcc

SHA256
468af3c4600744a1b07284c719fe44825af59ce3436d0ed986d91d4c34b6c5dd

SHA512
a8323b25e15e8224e411a11319297c77c26d18041a623280736981c768458fb69f7a7c44d25e924626c73c8f5b88211fbd0212dca58b487960264d0e3733a1ea

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
115ce6d305dd6de69c04c74d0b3b4b1d

SHA1
2e241d2219072f2e213c0c91f4ee17aa86869ec8

SHA256
77093ad22dee28f4b614cc44a84fecc5d2d4d27fc5fd95692fd20b0b9feb4b79

SHA512
47cf31634e8ce4a982c3ad547b5bef898fa4d77b07fd5a043fa3ebceb5aa1ea107d4c6f991f9630802d15308459b9c3c382ad6539d574e25a2a4a1f40f7fbef4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
916ba0dda549c861bb1f5f48c064fe6d

SHA1
d4580706845a671b6a6326337b1688078a495c2b

SHA256
ec7e04375979ea5d89f9139e30563fde6ceaaf8919b79bc12e551fe5682075fb

SHA512
d947235b39e8ea5b6c19dad12dc38209bfc3f73136b06478b81ec40477950eb21ed0e51107a0288265118568e6daa253420cc4af2febcab5a17abd13b3e70c55

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
916ba0dda549c861bb1f5f48c064fe6d

SHA1
d4580706845a671b6a6326337b1688078a495c2b

SHA256
ec7e04375979ea5d89f9139e30563fde6ceaaf8919b79bc12e551fe5682075fb

SHA512
d947235b39e8ea5b6c19dad12dc38209bfc3f73136b06478b81ec40477950eb21ed0e51107a0288265118568e6daa253420cc4af2febcab5a17abd13b3e70c55

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
115ce6d305dd6de69c04c74d0b3b4b1d

SHA1
2e241d2219072f2e213c0c91f4ee17aa86869ec8

SHA256
77093ad22dee28f4b614cc44a84fecc5d2d4d27fc5fd95692fd20b0b9feb4b79

SHA512
47cf31634e8ce4a982c3ad547b5bef898fa4d77b07fd5a043fa3ebceb5aa1ea107d4c6f991f9630802d15308459b9c3c382ad6539d574e25a2a4a1f40f7fbef4

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\532916106\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\532916106\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c451a672052cd6f8dd7bdfeaef6330b9

SHA1
cf13de339d70962ac097baf8ba992d2f21ee5c5a

SHA256
66376fa809ea073e9aa84bfe9e712e62ec5debeab0c6cd2719c7dd141143dfa9

SHA512
0b8fd1b5c192220eb84e834e6ee944bbe22a85166b09d0b9b9771134f6c2513ad61a44e0955afa7b4424fbeed5d00c36066ccd502fa92d58e455191ada680f68

Download Submit
C:\backup.exe

Filesize
72KB

MD5
c451a672052cd6f8dd7bdfeaef6330b9

SHA1
cf13de339d70962ac097baf8ba992d2f21ee5c5a

SHA256
66376fa809ea073e9aa84bfe9e712e62ec5debeab0c6cd2719c7dd141143dfa9

SHA512
0b8fd1b5c192220eb84e834e6ee944bbe22a85166b09d0b9b9771134f6c2513ad61a44e0955afa7b4424fbeed5d00c36066ccd502fa92d58e455191ada680f68

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
343c986529b7ae0e0de15a56a7bf3ee9

SHA1
cd01d54d68d38b2262be8ade484f0955c7d657c9

SHA256
6a50c7199c2ed8df89e7cb911a40cd34ba84c43ae1e817c877e73cf6eb30ec8f

SHA512
33fa0397f48d21e7d8d33c7001dc84bf48228f9badabf41c633443e92ec3cb37fd7e82aa26fe4104a8aa42d41e0fcf4a8d7eb03ece0206abbccc55f09c94896e

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
343c986529b7ae0e0de15a56a7bf3ee9

SHA1
cd01d54d68d38b2262be8ade484f0955c7d657c9

SHA256
6a50c7199c2ed8df89e7cb911a40cd34ba84c43ae1e817c877e73cf6eb30ec8f

SHA512
33fa0397f48d21e7d8d33c7001dc84bf48228f9badabf41c633443e92ec3cb37fd7e82aa26fe4104a8aa42d41e0fcf4a8d7eb03ece0206abbccc55f09c94896e

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f0990c4c06dd42e7f6b266dc3a994dce

SHA1
be236ae9bf298972d6cd93f4ceffe556e750bdcc

SHA256
468af3c4600744a1b07284c719fe44825af59ce3436d0ed986d91d4c34b6c5dd

SHA512
a8323b25e15e8224e411a11319297c77c26d18041a623280736981c768458fb69f7a7c44d25e924626c73c8f5b88211fbd0212dca58b487960264d0e3733a1ea

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
f0990c4c06dd42e7f6b266dc3a994dce

SHA1
be236ae9bf298972d6cd93f4ceffe556e750bdcc

SHA256
468af3c4600744a1b07284c719fe44825af59ce3436d0ed986d91d4c34b6c5dd

SHA512
a8323b25e15e8224e411a11319297c77c26d18041a623280736981c768458fb69f7a7c44d25e924626c73c8f5b88211fbd0212dca58b487960264d0e3733a1ea

Download Submit
\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
\Program Files\7-Zip\data.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
916ba0dda549c861bb1f5f48c064fe6d

SHA1
d4580706845a671b6a6326337b1688078a495c2b

SHA256
ec7e04375979ea5d89f9139e30563fde6ceaaf8919b79bc12e551fe5682075fb

SHA512
d947235b39e8ea5b6c19dad12dc38209bfc3f73136b06478b81ec40477950eb21ed0e51107a0288265118568e6daa253420cc4af2febcab5a17abd13b3e70c55

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
916ba0dda549c861bb1f5f48c064fe6d

SHA1
d4580706845a671b6a6326337b1688078a495c2b

SHA256
ec7e04375979ea5d89f9139e30563fde6ceaaf8919b79bc12e551fe5682075fb

SHA512
d947235b39e8ea5b6c19dad12dc38209bfc3f73136b06478b81ec40477950eb21ed0e51107a0288265118568e6daa253420cc4af2febcab5a17abd13b3e70c55

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
f0990c4c06dd42e7f6b266dc3a994dce

SHA1
be236ae9bf298972d6cd93f4ceffe556e750bdcc

SHA256
468af3c4600744a1b07284c719fe44825af59ce3436d0ed986d91d4c34b6c5dd

SHA512
a8323b25e15e8224e411a11319297c77c26d18041a623280736981c768458fb69f7a7c44d25e924626c73c8f5b88211fbd0212dca58b487960264d0e3733a1ea

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
f0990c4c06dd42e7f6b266dc3a994dce

SHA1
be236ae9bf298972d6cd93f4ceffe556e750bdcc

SHA256
468af3c4600744a1b07284c719fe44825af59ce3436d0ed986d91d4c34b6c5dd

SHA512
a8323b25e15e8224e411a11319297c77c26d18041a623280736981c768458fb69f7a7c44d25e924626c73c8f5b88211fbd0212dca58b487960264d0e3733a1ea

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
115ce6d305dd6de69c04c74d0b3b4b1d

SHA1
2e241d2219072f2e213c0c91f4ee17aa86869ec8

SHA256
77093ad22dee28f4b614cc44a84fecc5d2d4d27fc5fd95692fd20b0b9feb4b79

SHA512
47cf31634e8ce4a982c3ad547b5bef898fa4d77b07fd5a043fa3ebceb5aa1ea107d4c6f991f9630802d15308459b9c3c382ad6539d574e25a2a4a1f40f7fbef4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
115ce6d305dd6de69c04c74d0b3b4b1d

SHA1
2e241d2219072f2e213c0c91f4ee17aa86869ec8

SHA256
77093ad22dee28f4b614cc44a84fecc5d2d4d27fc5fd95692fd20b0b9feb4b79

SHA512
47cf31634e8ce4a982c3ad547b5bef898fa4d77b07fd5a043fa3ebceb5aa1ea107d4c6f991f9630802d15308459b9c3c382ad6539d574e25a2a4a1f40f7fbef4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
916ba0dda549c861bb1f5f48c064fe6d

SHA1
d4580706845a671b6a6326337b1688078a495c2b

SHA256
ec7e04375979ea5d89f9139e30563fde6ceaaf8919b79bc12e551fe5682075fb

SHA512
d947235b39e8ea5b6c19dad12dc38209bfc3f73136b06478b81ec40477950eb21ed0e51107a0288265118568e6daa253420cc4af2febcab5a17abd13b3e70c55

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
916ba0dda549c861bb1f5f48c064fe6d

SHA1
d4580706845a671b6a6326337b1688078a495c2b

SHA256
ec7e04375979ea5d89f9139e30563fde6ceaaf8919b79bc12e551fe5682075fb

SHA512
d947235b39e8ea5b6c19dad12dc38209bfc3f73136b06478b81ec40477950eb21ed0e51107a0288265118568e6daa253420cc4af2febcab5a17abd13b3e70c55

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
115ce6d305dd6de69c04c74d0b3b4b1d

SHA1
2e241d2219072f2e213c0c91f4ee17aa86869ec8

SHA256
77093ad22dee28f4b614cc44a84fecc5d2d4d27fc5fd95692fd20b0b9feb4b79

SHA512
47cf31634e8ce4a982c3ad547b5bef898fa4d77b07fd5a043fa3ebceb5aa1ea107d4c6f991f9630802d15308459b9c3c382ad6539d574e25a2a4a1f40f7fbef4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
115ce6d305dd6de69c04c74d0b3b4b1d

SHA1
2e241d2219072f2e213c0c91f4ee17aa86869ec8

SHA256
77093ad22dee28f4b614cc44a84fecc5d2d4d27fc5fd95692fd20b0b9feb4b79

SHA512
47cf31634e8ce4a982c3ad547b5bef898fa4d77b07fd5a043fa3ebceb5aa1ea107d4c6f991f9630802d15308459b9c3c382ad6539d574e25a2a4a1f40f7fbef4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
115ce6d305dd6de69c04c74d0b3b4b1d

SHA1
2e241d2219072f2e213c0c91f4ee17aa86869ec8

SHA256
77093ad22dee28f4b614cc44a84fecc5d2d4d27fc5fd95692fd20b0b9feb4b79

SHA512
47cf31634e8ce4a982c3ad547b5bef898fa4d77b07fd5a043fa3ebceb5aa1ea107d4c6f991f9630802d15308459b9c3c382ad6539d574e25a2a4a1f40f7fbef4

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
f8dd10b877f0f6113ea4320d893e8d25

SHA1
b998b0b06ebeaccc0477ee095806d6d8a22db006

SHA256
b8a99d915cc8013b94f2884c4861ac0625dd89bd83e42e6257d958371258fa90

SHA512
6a3f8a9e17ec832991893c58e599755bdfac74b5676e935fb9b69a1ebe2b28427f812e293126f5d7d57a7875c4ce4236257dd900467abe6b3f9258c680f13e3c

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f081d411fe85614b1ab842bc4b85de19

SHA1
acb400c23bb6de9725eb66bb707afac21afb9064

SHA256
980ef81f005fdb8a5ba927deedc547339a88349b6b25a0ac269d751b2d368c15

SHA512
d16031fdcff4f2ce324eaced9ea9de44a27cfa6c9773c1414132c6785043899cd06ff1049a0e54b556e9bac67175e7a426ea7cd24fd8358428f1cb1bc4f07c78

Download Submit
\Users\Admin\AppData\Local\Temp\532916106\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\532916106\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
e168209d51f3c2e0cef095288f85c2d4

SHA1
e011afc10d1d3eb36393560abdb9865a99b10ea2

SHA256
1c13b05535522f2eeb128eaf08d1ac5b7e1695ef4de59a04b55a94963cec6233

SHA512
0758c27c5b440f8c49f542be8b383ca5b50b19fae725bb608b04b49c3d1e3fa76b8c8ccbd17faa4d362f0da707840485221fb10883d4dd1ab67eaf8dd01ee2a5

Download Submit
memory/816-124-0x00000000743C1000-0x00000000743C3000-memory.dmp

Filesize
8KB

Download
memory/816-98-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads