82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
Size

72KB
MD5

03199c6c5acf0c4496e543f34fad0a7e
SHA1

ba9f7b6d3f6ac8b74a55fcad4a13442adb43b0a4
SHA256

82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59
SHA512

05f07e5c27bc32fbb05bb56cdf74309ea36807756c4b27b7c57f77f85e083aa4c0ece9507f2586edc6121230689e69a8d1c755f236423d288818d925a1170beb
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3DX:teThavEjDWguKj

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1108	backup.exe
2024	backup.exe
1304	backup.exe
1112	backup.exe
1180	backup.exe
1356	backup.exe
1372	backup.exe
1500	backup.exe
1172	backup.exe
324	backup.exe
780	backup.exe
1348	backup.exe
1648	backup.exe
1772	backup.exe
1832	System Restore.exe
1836	backup.exe
1644	backup.exe
1068	backup.exe
796	backup.exe
1020	System Restore.exe
1212	update.exe
1624	backup.exe
1636	backup.exe
1744	backup.exe
1356	backup.exe
2028	backup.exe
1688	backup.exe
1596	backup.exe
1548	backup.exe
988	backup.exe
1620	backup.exe
1528	backup.exe
1148	backup.exe
1172	backup.exe
1996	backup.exe
1392	backup.exe
1140	backup.exe
1488	backup.exe
1900	backup.exe
240	backup.exe
1272	backup.exe
1344	backup.exe
1456	backup.exe
1612	backup.exe
892	backup.exe
900	backup.exe
2024	data.exe
1464	backup.exe
1020	backup.exe
1468	backup.exe
1768	backup.exe
1764	backup.exe
824	backup.exe
1784	data.exe
1064	backup.exe
1588	backup.exe
1700	backup.exe
1868	backup.exe
988	backup.exe
1620	backup.exe
992	backup.exe
1904	backup.exe
968	backup.exe
1012	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1500	backup.exe
1500	backup.exe
1172	backup.exe
1172	backup.exe
1500	backup.exe
1500	backup.exe
780	backup.exe
780	backup.exe
1348	backup.exe
1348	backup.exe
780	backup.exe
780	backup.exe
1772	backup.exe
1772	backup.exe
1832	System Restore.exe
1832	System Restore.exe
1832	System Restore.exe
1832	System Restore.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1212	update.exe
1212	update.exe
1212	update.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1644	backup.exe
1548	backup.exe
1548	backup.exe
1548	backup.exe
1548	backup.exe
1548	backup.exe
1548	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe	backup.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\diagnostics\System Restore.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\debug\update.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
1108	backup.exe
2024	backup.exe
1304	backup.exe
1112	backup.exe
1180	backup.exe
1356	backup.exe
1372	backup.exe
1500	backup.exe
1172	backup.exe
324	backup.exe
780	backup.exe
1348	backup.exe
1648	backup.exe
1772	backup.exe
1832	System Restore.exe
1836	backup.exe
1644	backup.exe
1068	backup.exe
796	backup.exe
1020	System Restore.exe
1212	update.exe
1624	backup.exe
1636	backup.exe
1744	backup.exe
1356	backup.exe
2028	backup.exe
1688	backup.exe
1596	backup.exe
1548	backup.exe
988	backup.exe
1620	backup.exe
1528	backup.exe
1148	backup.exe
1172	backup.exe
1996	backup.exe
1392	backup.exe
1140	backup.exe
1488	backup.exe
1900	backup.exe
240	backup.exe
1272	backup.exe
1344	backup.exe
1456	backup.exe
1612	backup.exe
892	backup.exe
900	backup.exe
2024	data.exe
1464	backup.exe
1020	backup.exe
1468	backup.exe
1768	backup.exe
1764	backup.exe
824	backup.exe
1784	data.exe
1064	backup.exe
1588	backup.exe
1700	backup.exe
1868	backup.exe
988	backup.exe
1620	backup.exe
992	backup.exe
1904	backup.exe
968	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1108	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	27
PID 1816 wrote to memory of 1108	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	27
PID 1816 wrote to memory of 1108	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	27
PID 1816 wrote to memory of 1108	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	27
PID 1816 wrote to memory of 2024	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	28
PID 1816 wrote to memory of 2024	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	28
PID 1816 wrote to memory of 2024	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	28
PID 1816 wrote to memory of 2024	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	28
PID 1816 wrote to memory of 1304	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	29
PID 1816 wrote to memory of 1304	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	29
PID 1816 wrote to memory of 1304	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	29
PID 1816 wrote to memory of 1304	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	29
PID 1816 wrote to memory of 1112	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	30
PID 1816 wrote to memory of 1112	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	30
PID 1816 wrote to memory of 1112	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	30
PID 1816 wrote to memory of 1112	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	30
PID 1816 wrote to memory of 1180	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	31
PID 1816 wrote to memory of 1180	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	31
PID 1816 wrote to memory of 1180	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	31
PID 1816 wrote to memory of 1180	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	31
PID 1816 wrote to memory of 1356	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	32
PID 1816 wrote to memory of 1356	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	32
PID 1816 wrote to memory of 1356	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	32
PID 1816 wrote to memory of 1356	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	32
PID 1816 wrote to memory of 1372	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	33
PID 1816 wrote to memory of 1372	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	33
PID 1816 wrote to memory of 1372	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	33
PID 1816 wrote to memory of 1372	1816	82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe	33
PID 1108 wrote to memory of 1500	1108	backup.exe	34
PID 1108 wrote to memory of 1500	1108	backup.exe	34
PID 1108 wrote to memory of 1500	1108	backup.exe	34
PID 1108 wrote to memory of 1500	1108	backup.exe	34
PID 1500 wrote to memory of 1172	1500	backup.exe	35
PID 1500 wrote to memory of 1172	1500	backup.exe	35
PID 1500 wrote to memory of 1172	1500	backup.exe	35
PID 1500 wrote to memory of 1172	1500	backup.exe	35
PID 1172 wrote to memory of 324	1172	backup.exe	36
PID 1172 wrote to memory of 324	1172	backup.exe	36
PID 1172 wrote to memory of 324	1172	backup.exe	36
PID 1172 wrote to memory of 324	1172	backup.exe	36
PID 1500 wrote to memory of 780	1500	backup.exe	37
PID 1500 wrote to memory of 780	1500	backup.exe	37
PID 1500 wrote to memory of 780	1500	backup.exe	37
PID 1500 wrote to memory of 780	1500	backup.exe	37
PID 780 wrote to memory of 1348	780	backup.exe	38
PID 780 wrote to memory of 1348	780	backup.exe	38
PID 780 wrote to memory of 1348	780	backup.exe	38
PID 780 wrote to memory of 1348	780	backup.exe	38
PID 1348 wrote to memory of 1648	1348	backup.exe	39
PID 1348 wrote to memory of 1648	1348	backup.exe	39
PID 1348 wrote to memory of 1648	1348	backup.exe	39
PID 1348 wrote to memory of 1648	1348	backup.exe	39
PID 780 wrote to memory of 1772	780	backup.exe	40
PID 780 wrote to memory of 1772	780	backup.exe	40
PID 780 wrote to memory of 1772	780	backup.exe	40
PID 780 wrote to memory of 1772	780	backup.exe	40
PID 1772 wrote to memory of 1832	1772	backup.exe	41
PID 1772 wrote to memory of 1832	1772	backup.exe	41
PID 1772 wrote to memory of 1832	1772	backup.exe	41
PID 1772 wrote to memory of 1832	1772	backup.exe	41
PID 1832 wrote to memory of 1836	1832	System Restore.exe	42
PID 1832 wrote to memory of 1836	1832	System Restore.exe	42
PID 1832 wrote to memory of 1836	1832	System Restore.exe	42
PID 1832 wrote to memory of 1836	1832	System Restore.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe
"C:\Users\Admin\AppData\Local\Temp\82ce09e48fee3911732e4deda6af0b13a81f46b477134ff445881f1e9cb75d59.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\3998805127\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3998805127\backup.exe C:\Users\Admin\AppData\Local\Temp\3998805127\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:324
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:780
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1648
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Program Files\Common Files\Microsoft Shared\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:968
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:680
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:276
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1836
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2008
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:2036
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1864
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1964
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:632
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        System policy modification
        
        PID:1544
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:700
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1176
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:1188
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:988
      - C:\Program Files\Common Files\SpeechEngines\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\data.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1660
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1156
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1848
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:968
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1136
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1392
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:368
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2032
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1976
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1512
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1808
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:1676
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1728
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:1776
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:276
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1344
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1836
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1068
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:796
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1896
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1756
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:1020
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:328
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:616
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1552
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1356
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1600
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1516
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1544
      - C:\Program Files\DVD Maker\fr-FR\data.exe
        
        "C:\Program Files\DVD Maker\fr-FR\data.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1608
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:972
      - C:\Program Files\DVD Maker\ja-JP\update.exe
        
        "C:\Program Files\DVD Maker\ja-JP\update.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:736
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1032
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1660
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1136
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:368
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1976
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:1900
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1828
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:844
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:760
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:2020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1344
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2008
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1744
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1020
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:1064
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:1544
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:1532
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:324
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:2000
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:1132
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:332
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:240
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:1728
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1256
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        
        PID:1056
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1476
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1100
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1752
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:616
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        System policy modification
        
        PID:632
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:768
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1020
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:1064
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1188
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:1532
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1392
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1568
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:992
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1592
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System policy modification
        
        PID:1572
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1360
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:760
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1640
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:1764
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:820
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1848
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1964
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        Drops file in Program Files directory
        
        PID:1512
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:988
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        System policy modification
        
        PID:736
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:1148
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        8⤵
        Drops file in Program Files directory
        
        PID:1176
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:1776
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        8⤵
        
        PID:1808
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        9⤵
        
        PID:1668
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        9⤵
        
        PID:1472
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        9⤵
        
        PID:1392
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:524
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        9⤵
        
        PID:1036
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        9⤵
        
        PID:1636
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        9⤵
        
        PID:2028
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        9⤵
        
        PID:1056
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        9⤵
        
        PID:1500
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        9⤵
        
        PID:680
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        9⤵
        
        PID:2096
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        9⤵
        
        PID:2264
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
        9⤵
        
        PID:2420
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
        9⤵
        
        PID:2556
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        7⤵
        
        PID:1336
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        
        PID:1456
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
        9⤵
        System policy modification
        
        PID:1272
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        
        PID:1768
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:1876
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
        9⤵
        
        PID:1984
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
        9⤵
        
        PID:1036
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
        9⤵
        
        PID:2056
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
        9⤵
        
        PID:2236
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        8⤵
        
        PID:1212
      - C:\Program Files\Java\jre7\data.exe
        
        "C:\Program Files\Java\jre7\data.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1992
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        
        PID:1056
        
        C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        8⤵
        System policy modification
        
        PID:1868
        
        C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2000
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        8⤵
        
        PID:796
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:1348
        
        C:\Program Files\Java\jre7\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
        8⤵
        System policy modification
        
        PID:1516
        
        C:\Program Files\Java\jre7\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
        8⤵
        
        PID:1868
        
        C:\Program Files\Java\jre7\lib\cmm\update.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\update.exe" C:\Program Files\Java\jre7\lib\cmm\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
        
        C:\Program Files\Java\jre7\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
        8⤵
        
        PID:792
        
        C:\Program Files\Java\jre7\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
        8⤵
        
        PID:964
        
        C:\Program Files\Java\jre7\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
        8⤵
        
        PID:884
        
        C:\Program Files\Java\jre7\lib\images\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
        8⤵
        
        PID:2080
        
        C:\Program Files\Java\jre7\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
        8⤵
        
        PID:2256
        
        C:\Program Files\Java\jre7\lib\management\System Restore.exe
        
        "C:\Program Files\Java\jre7\lib\management\System Restore.exe" C:\Program Files\Java\jre7\lib\management\
        8⤵
        
        PID:2436
        
        C:\Program Files\Java\jre7\lib\security\backup.exe
        
        "C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
        8⤵
        
        PID:2564
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2024
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1912
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:1152
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        
        PID:1848
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:2008
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        
        PID:1064
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1068
        
        C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
        7⤵
        
        PID:1624
        
        C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
        7⤵
        
        PID:1664
        
        C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
        7⤵
        
        PID:1752
        
        C:\Program Files\Microsoft Games\FreeCell\it-IT\data.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\it-IT\data.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
        7⤵
        
        PID:2112
        
        C:\Program Files\Microsoft Games\FreeCell\ja-JP\System Restore.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\ja-JP\System Restore.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
        7⤵
        
        PID:2288
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:332
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:368
      - C:\Program Files\Microsoft Games\Minesweeper\data.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\data.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:1140
      - C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        
        PID:2160
      - C:\Program Files\Microsoft Games\Multiplayer\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
        6⤵
        
        PID:2316
      - C:\Program Files\Microsoft Games\Purble Place\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
        6⤵
        
        PID:2468
      - C:\Program Files\Microsoft Games\Solitaire\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\
        6⤵
        
        PID:2588
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1112
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:1876
        
        C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        
        PID:324
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1828
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:816
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:632
    - - C:\Program Files\VideoLAN\update.exe
        
        "C:\Program Files\VideoLAN\update.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2072
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2248
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:2428
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        
        PID:2548
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:1620
    - - C:\Program Files (x86)\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:940
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1348
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:1512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        System policy modification
        
        PID:1056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        System policy modification
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1372
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        System policy modification
        
        PID:1700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Drops file in Program Files directory
        
        PID:1832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1172
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Drops file in Program Files directory
        
        PID:368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        System policy modification
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1172
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:1828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        System policy modification
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:328
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        System policy modification
        
        PID:1012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:424
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1996
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2036
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:276
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:1988
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        System policy modification
        
        PID:796
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:760
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1836
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1708
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1464
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\data.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:588
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:1396
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:824
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:992
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:632
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:1772
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:2028
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        
        PID:1020
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:1688
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:324
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        System policy modification
        
        PID:964
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:700
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        
        PID:816
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:736
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        System policy modification
        
        PID:2000
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1272
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1040
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        
        PID:1212
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        
        PID:796
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        
        PID:1984
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1112
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        8⤵
        
        PID:828
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        8⤵
        
        PID:1020
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:1336
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:1832
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:656
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:436
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        System policy modification
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:332
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:1140
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:1344
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1740
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:1372
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:884
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:1568
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        
        PID:940
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        8⤵
        
        PID:1140
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        8⤵
        
        PID:1100
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        8⤵
        
        PID:796
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1632
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        7⤵
        
        PID:824
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        7⤵
        
        PID:1468
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        7⤵
        
        PID:2168
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:2324
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2476
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:2616
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1012
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:276
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:328
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1688
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1392
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2032
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:700
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1528
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2176
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2332
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2500
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:1040
        
        C:\Program Files (x86)\Common Files\System\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\update.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:2104
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:2280
        
        C:\Program Files (x86)\Common Files\System\it-IT\update.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\update.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:2404
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:2528
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1532
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:1256
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        System policy modification
        
        PID:552
      - C:\Program Files (x86)\Google\Temp\data.exe
        
        "C:\Program Files (x86)\Google\Temp\data.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:588
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1148
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1612
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:792
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        System policy modification
        
        PID:240
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1484
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:988
      - C:\Program Files (x86)\Internet Explorer\it-IT\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\update.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1100
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2152
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2308
    - - C:\Program Files (x86)\Microsoft Analysis Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1652
    - - C:\Program Files (x86)\Microsoft Office\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1516
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1784
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2204
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2520
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1132
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        System policy modification
        
        PID:1564
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1052
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1592
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:968
      - C:\Users\Admin\Favorites\data.exe
        
        C:\Users\Admin\Favorites\data.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:976
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1572
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1152
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:760
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:820
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:632
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1688
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:972
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1064
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1036
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        System policy modification
        
        PID:1608
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2032
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:1148
      - C:\Users\Public\Recorded TV\data.exe
        
        "C:\Users\Public\Recorded TV\data.exe" C:\Users\Public\Recorded TV\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1348
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        
        PID:1360
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1484
        
        C:\Users\Public\Videos\Sample Videos\data.exe
        
        "C:\Users\Public\Videos\Sample Videos\data.exe" C:\Users\Public\Videos\Sample Videos\
        7⤵
        
        PID:1468
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:760
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1300
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1784
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Drops file in Windows directory
        
        PID:1188
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:2040
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:1652
      - C:\Windows\AppPatch\de-DE\System Restore.exe
        
        "C:\Windows\AppPatch\de-DE\System Restore.exe" C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:424
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:544
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:1104
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:1776
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        
        PID:2088
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        
        PID:2272
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:1360
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:968
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:2196
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2340
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
        7⤵
        
        PID:2492
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:2600
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:1020
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:1564
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:2120
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:2460
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:2608
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1132
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1112
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:240
    - - C:\Windows\debug\update.exe
        
        C:\Windows\debug\update.exe C:\Windows\debug\
        5⤵
        
        PID:2228
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:2412
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:2536
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
efda684c7dff737961e4f31308691d58

SHA1
fb6b63b21878b9872bcc32223d6a59bdf71fc72b

SHA256
bd68fffaad4c9e427faf4260d8158cdd192169e38a39d3c58577f2b647db04b1

SHA512
1f6e568814e5f49d63490570acf99eec3d2228c22166f7700fbcfe0c6dbf17842d9477e92cd27c090870f11643f92820bbe8dd675f963b0113d1fffce30be1f6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
cd2245a78d53d1e925227b81368d993a

SHA1
6e5a688d08b1d213a4e3df4bd0a6b6822f897b94

SHA256
b689ad63c98206b25529bc3cd08ed23dd2b27259275f2f8f09d02ca28a8b5e52

SHA512
c9b74fe61910c66d1f8988c16a6757cbd81dcd85f136fb77d8ec8173f34e3241497fd7a0ac6f76cfe477664df0afd1ad842dd46bee7d65385d9b866d3fae35a1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
efda684c7dff737961e4f31308691d58

SHA1
fb6b63b21878b9872bcc32223d6a59bdf71fc72b

SHA256
bd68fffaad4c9e427faf4260d8158cdd192169e38a39d3c58577f2b647db04b1

SHA512
1f6e568814e5f49d63490570acf99eec3d2228c22166f7700fbcfe0c6dbf17842d9477e92cd27c090870f11643f92820bbe8dd675f963b0113d1fffce30be1f6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
efda684c7dff737961e4f31308691d58

SHA1
fb6b63b21878b9872bcc32223d6a59bdf71fc72b

SHA256
bd68fffaad4c9e427faf4260d8158cdd192169e38a39d3c58577f2b647db04b1

SHA512
1f6e568814e5f49d63490570acf99eec3d2228c22166f7700fbcfe0c6dbf17842d9477e92cd27c090870f11643f92820bbe8dd675f963b0113d1fffce30be1f6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7bd08270ebc1eef9d4401bff7ab06fa8

SHA1
472144ddbd6ab1d8191c5a67701c6371f244942d

SHA256
04e9b77618040ad22bc50ddaa0f197ad3e81c94684c3196dd0937a399e3e627e

SHA512
47eec0ff95b5b9cb0074c36f96ed7bd17c990de451335eade4c7b76f16606f123cd75b2dc6d653e0b1a4efcf258bf44d5ca4094087aa908c96c7bc032205d571

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
cd2245a78d53d1e925227b81368d993a

SHA1
6e5a688d08b1d213a4e3df4bd0a6b6822f897b94

SHA256
b689ad63c98206b25529bc3cd08ed23dd2b27259275f2f8f09d02ca28a8b5e52

SHA512
c9b74fe61910c66d1f8988c16a6757cbd81dcd85f136fb77d8ec8173f34e3241497fd7a0ac6f76cfe477664df0afd1ad842dd46bee7d65385d9b866d3fae35a1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
cd2245a78d53d1e925227b81368d993a

SHA1
6e5a688d08b1d213a4e3df4bd0a6b6822f897b94

SHA256
b689ad63c98206b25529bc3cd08ed23dd2b27259275f2f8f09d02ca28a8b5e52

SHA512
c9b74fe61910c66d1f8988c16a6757cbd81dcd85f136fb77d8ec8173f34e3241497fd7a0ac6f76cfe477664df0afd1ad842dd46bee7d65385d9b866d3fae35a1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7bd08270ebc1eef9d4401bff7ab06fa8

SHA1
472144ddbd6ab1d8191c5a67701c6371f244942d

SHA256
04e9b77618040ad22bc50ddaa0f197ad3e81c94684c3196dd0937a399e3e627e

SHA512
47eec0ff95b5b9cb0074c36f96ed7bd17c990de451335eade4c7b76f16606f123cd75b2dc6d653e0b1a4efcf258bf44d5ca4094087aa908c96c7bc032205d571

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
C:\Users\Admin\AppData\Local\Temp\3998805127\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3998805127\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
18cf1d75fb9619d26cff67b8ca354e09

SHA1
1796d3fc194b95594f66ad0f519a857ad398e965

SHA256
e338551d6ce36ca76284b161e2e77ffce7f8ea936d572bf5cedf53cf8cc3bc1f

SHA512
825ffb7331c93e944dfbc76091966e2b9504d8c965ad10c062899fefabc0a0d385e3fbf8e7e266f27c92994a601fc860f5998bb92304c50466665d2781afeda3

Download Submit
C:\backup.exe

Filesize
72KB

MD5
18cf1d75fb9619d26cff67b8ca354e09

SHA1
1796d3fc194b95594f66ad0f519a857ad398e965

SHA256
e338551d6ce36ca76284b161e2e77ffce7f8ea936d572bf5cedf53cf8cc3bc1f

SHA512
825ffb7331c93e944dfbc76091966e2b9504d8c965ad10c062899fefabc0a0d385e3fbf8e7e266f27c92994a601fc860f5998bb92304c50466665d2781afeda3

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
efda684c7dff737961e4f31308691d58

SHA1
fb6b63b21878b9872bcc32223d6a59bdf71fc72b

SHA256
bd68fffaad4c9e427faf4260d8158cdd192169e38a39d3c58577f2b647db04b1

SHA512
1f6e568814e5f49d63490570acf99eec3d2228c22166f7700fbcfe0c6dbf17842d9477e92cd27c090870f11643f92820bbe8dd675f963b0113d1fffce30be1f6

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
efda684c7dff737961e4f31308691d58

SHA1
fb6b63b21878b9872bcc32223d6a59bdf71fc72b

SHA256
bd68fffaad4c9e427faf4260d8158cdd192169e38a39d3c58577f2b647db04b1

SHA512
1f6e568814e5f49d63490570acf99eec3d2228c22166f7700fbcfe0c6dbf17842d9477e92cd27c090870f11643f92820bbe8dd675f963b0113d1fffce30be1f6

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
cd2245a78d53d1e925227b81368d993a

SHA1
6e5a688d08b1d213a4e3df4bd0a6b6822f897b94

SHA256
b689ad63c98206b25529bc3cd08ed23dd2b27259275f2f8f09d02ca28a8b5e52

SHA512
c9b74fe61910c66d1f8988c16a6757cbd81dcd85f136fb77d8ec8173f34e3241497fd7a0ac6f76cfe477664df0afd1ad842dd46bee7d65385d9b866d3fae35a1

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
cd2245a78d53d1e925227b81368d993a

SHA1
6e5a688d08b1d213a4e3df4bd0a6b6822f897b94

SHA256
b689ad63c98206b25529bc3cd08ed23dd2b27259275f2f8f09d02ca28a8b5e52

SHA512
c9b74fe61910c66d1f8988c16a6757cbd81dcd85f136fb77d8ec8173f34e3241497fd7a0ac6f76cfe477664df0afd1ad842dd46bee7d65385d9b866d3fae35a1

Download Submit
\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
efda684c7dff737961e4f31308691d58

SHA1
fb6b63b21878b9872bcc32223d6a59bdf71fc72b

SHA256
bd68fffaad4c9e427faf4260d8158cdd192169e38a39d3c58577f2b647db04b1

SHA512
1f6e568814e5f49d63490570acf99eec3d2228c22166f7700fbcfe0c6dbf17842d9477e92cd27c090870f11643f92820bbe8dd675f963b0113d1fffce30be1f6

Download Submit
\Program Files\Common Files\Microsoft Shared\System Restore.exe

Filesize
72KB

MD5
efda684c7dff737961e4f31308691d58

SHA1
fb6b63b21878b9872bcc32223d6a59bdf71fc72b

SHA256
bd68fffaad4c9e427faf4260d8158cdd192169e38a39d3c58577f2b647db04b1

SHA512
1f6e568814e5f49d63490570acf99eec3d2228c22166f7700fbcfe0c6dbf17842d9477e92cd27c090870f11643f92820bbe8dd675f963b0113d1fffce30be1f6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7bd08270ebc1eef9d4401bff7ab06fa8

SHA1
472144ddbd6ab1d8191c5a67701c6371f244942d

SHA256
04e9b77618040ad22bc50ddaa0f197ad3e81c94684c3196dd0937a399e3e627e

SHA512
47eec0ff95b5b9cb0074c36f96ed7bd17c990de451335eade4c7b76f16606f123cd75b2dc6d653e0b1a4efcf258bf44d5ca4094087aa908c96c7bc032205d571

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
7bd08270ebc1eef9d4401bff7ab06fa8

SHA1
472144ddbd6ab1d8191c5a67701c6371f244942d

SHA256
04e9b77618040ad22bc50ddaa0f197ad3e81c94684c3196dd0937a399e3e627e

SHA512
47eec0ff95b5b9cb0074c36f96ed7bd17c990de451335eade4c7b76f16606f123cd75b2dc6d653e0b1a4efcf258bf44d5ca4094087aa908c96c7bc032205d571

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
cd2245a78d53d1e925227b81368d993a

SHA1
6e5a688d08b1d213a4e3df4bd0a6b6822f897b94

SHA256
b689ad63c98206b25529bc3cd08ed23dd2b27259275f2f8f09d02ca28a8b5e52

SHA512
c9b74fe61910c66d1f8988c16a6757cbd81dcd85f136fb77d8ec8173f34e3241497fd7a0ac6f76cfe477664df0afd1ad842dd46bee7d65385d9b866d3fae35a1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
cd2245a78d53d1e925227b81368d993a

SHA1
6e5a688d08b1d213a4e3df4bd0a6b6822f897b94

SHA256
b689ad63c98206b25529bc3cd08ed23dd2b27259275f2f8f09d02ca28a8b5e52

SHA512
c9b74fe61910c66d1f8988c16a6757cbd81dcd85f136fb77d8ec8173f34e3241497fd7a0ac6f76cfe477664df0afd1ad842dd46bee7d65385d9b866d3fae35a1

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7bd08270ebc1eef9d4401bff7ab06fa8

SHA1
472144ddbd6ab1d8191c5a67701c6371f244942d

SHA256
04e9b77618040ad22bc50ddaa0f197ad3e81c94684c3196dd0937a399e3e627e

SHA512
47eec0ff95b5b9cb0074c36f96ed7bd17c990de451335eade4c7b76f16606f123cd75b2dc6d653e0b1a4efcf258bf44d5ca4094087aa908c96c7bc032205d571

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7bd08270ebc1eef9d4401bff7ab06fa8

SHA1
472144ddbd6ab1d8191c5a67701c6371f244942d

SHA256
04e9b77618040ad22bc50ddaa0f197ad3e81c94684c3196dd0937a399e3e627e

SHA512
47eec0ff95b5b9cb0074c36f96ed7bd17c990de451335eade4c7b76f16606f123cd75b2dc6d653e0b1a4efcf258bf44d5ca4094087aa908c96c7bc032205d571

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\System Restore.exe

Filesize
72KB

MD5
7bd08270ebc1eef9d4401bff7ab06fa8

SHA1
472144ddbd6ab1d8191c5a67701c6371f244942d

SHA256
04e9b77618040ad22bc50ddaa0f197ad3e81c94684c3196dd0937a399e3e627e

SHA512
47eec0ff95b5b9cb0074c36f96ed7bd17c990de451335eade4c7b76f16606f123cd75b2dc6d653e0b1a4efcf258bf44d5ca4094087aa908c96c7bc032205d571

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
fbbdbb21b7f11444eed68f0057e71ccd

SHA1
9c8e2d606e0480dab9ed65783951ae344152bbf4

SHA256
063f47b9889a6fda3311bada912ad99515e7899b6257931d15e742e0bfcbf888

SHA512
c198509c7ee3a9547f4d0564645684087240e1e90b821f38dfe6a5eb49c7dbd50ddf10ac20e637a4d1c641752118b540d5c5d663fc6c700e6b76d90cb8440306

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
f50b9dcbc858fb7616b117330659b420

SHA1
3868445bfdfb1a6c4d2bf509199c3f34652044c2

SHA256
1a15a41aa0098c8ad806097486605ab4a0e8bf583582d213490bca18a5a46a7b

SHA512
e184ebfac3f4db9007f8154a82ed024fcef410f8bfa067acbc0245e57c9e642ecee35a314636688d85fd6b07121249c2624141e200af483f67dc4f67a5b91121

Download Submit
\Users\Admin\AppData\Local\Temp\3998805127\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\3998805127\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
22f012da0509ee177e5996460bcc5efb

SHA1
a5a3e83f2b9082796593fae45bcb95a5db3a501f

SHA256
c2679a484d72d3d2eabecc8b7bc4ae31716180fba7595169af75f3cb0d7f3a40

SHA512
263050ebedef5b522eb0349ae200c3b08832bbd9461117eb025d3e95988ea41cd6f33ba870f77c2ad1c1bcaa03a1171ff3ec4d62e1f38140af19b44e8fc84d2c

Download Submit
memory/1816-98-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1816-100-0x0000000074991000-0x0000000074993000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads