95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
Size

72KB
MD5

182c4f4a96b2fa322c07186ab5733708
SHA1

a5424df21e796998b49d5833eccc05d4b289866b
SHA256

95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964
SHA512

1a6d67ef8a8283fdc1daef652f3c72b55c555e88c4bca49281851337f4ce07befa4f0f10a49a865ea2b974c82a692d9f4ba9d0d4434a861686794d030826a2a0
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2J:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr1

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

Processes:

backup.exebackup.exeSystem Restore.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1316	backup.exe
1092	backup.exe
1168	backup.exe
1108	backup.exe
560	backup.exe
1720	backup.exe
1016	backup.exe
1432	backup.exe
1164	backup.exe
964	backup.exe
1980	data.exe
1972	backup.exe
580	backup.exe
1636	backup.exe
1704	backup.exe
1820	data.exe
888	backup.exe
1044	data.exe
1196	backup.exe
1064	backup.exe
856	backup.exe
884	backup.exe
1716	backup.exe
268	backup.exe
972	backup.exe
1720	backup.exe
1580	backup.exe
1336	backup.exe
1616	update.exe
2028	backup.exe
1436	backup.exe
1648	backup.exe
1624	backup.exe
1596	System Restore.exe
1968	backup.exe
880	backup.exe
528	backup.exe
860	backup.exe
1944	backup.exe
1308	backup.exe
1516	backup.exe
1820	backup.exe
1388	data.exe
1144	backup.exe
1812	backup.exe
1236	backup.exe
536	backup.exe
664	backup.exe
556	backup.exe
1932	backup.exe
1640	backup.exe
1576	backup.exe
568	backup.exe
1680	backup.exe
696	backup.exe
1628	System Restore.exe
1284	backup.exe
620	backup.exe
2012	backup.exe
1648	backup.exe
2024	backup.exe
1976	backup.exe
1892	backup.exe
812	backup.exe

Loads dropped DLL 64 IoCs

Processes:

95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exe

pid	process
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1432	backup.exe
1432	backup.exe
1164	backup.exe
1164	backup.exe
1432	backup.exe
1432	backup.exe
1980	data.exe
1980	data.exe
1972	backup.exe
1972	backup.exe
1980	data.exe
1980	data.exe
1636	backup.exe
1636	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
888	backup.exe
1616	update.exe
1616	update.exe
1616	update.exe
1616	update.exe
1616	update.exe
2028	backup.exe
2028	backup.exe
2028	backup.exe
1616	update.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\data.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\backup.exe	update.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe	backup.exe

Drops file in Windows directory 22 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\AppPatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\debug\backup.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\diagnostics\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\es-ES\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe

pid process

1760 95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
1316	backup.exe
1092	backup.exe
1168	backup.exe
1108	backup.exe
560	backup.exe
1720	backup.exe
1016	backup.exe
1432	backup.exe
1164	backup.exe
964	backup.exe
1980	data.exe
1972	backup.exe
580	backup.exe
1636	backup.exe
1704	backup.exe
1820	data.exe
888	backup.exe
1196	backup.exe
1064	backup.exe
856	backup.exe
884	backup.exe
1716	backup.exe
268	backup.exe
972	backup.exe
1720	backup.exe
1580	backup.exe
1336	backup.exe
1616	update.exe
2028	backup.exe
1436	backup.exe
1648	backup.exe
1624	backup.exe
1596	System Restore.exe
1968	backup.exe
880	backup.exe
528	backup.exe
860	backup.exe
1944	backup.exe
1308	backup.exe
1516	backup.exe
1820	backup.exe
1388	data.exe
1144	backup.exe
1812	backup.exe
1236	backup.exe
536	backup.exe
664	backup.exe
556	backup.exe
1932	backup.exe
1640	backup.exe
1576	backup.exe
568	backup.exe
1680	backup.exe
696	backup.exe
1628	System Restore.exe
1284	backup.exe
620	backup.exe
2012	backup.exe
1648	backup.exe
2024	backup.exe
1976	backup.exe
1892	backup.exe
812	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 1760 wrote to memory of 1316	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1316	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1316	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1316	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1092	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1092	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1092	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1092	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1168	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1168	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1168	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1168	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1108	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1108	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1108	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1108	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 560	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 560	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 560	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 560	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1720	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1720	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1720	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1720	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1016	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1016	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1016	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1760 wrote to memory of 1016	1760	95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe	backup.exe
PID 1316 wrote to memory of 1432	1316	backup.exe	backup.exe
PID 1316 wrote to memory of 1432	1316	backup.exe	backup.exe
PID 1316 wrote to memory of 1432	1316	backup.exe	backup.exe
PID 1316 wrote to memory of 1432	1316	backup.exe	backup.exe
PID 1432 wrote to memory of 1164	1432	backup.exe	backup.exe
PID 1432 wrote to memory of 1164	1432	backup.exe	backup.exe
PID 1432 wrote to memory of 1164	1432	backup.exe	backup.exe
PID 1432 wrote to memory of 1164	1432	backup.exe	backup.exe
PID 1164 wrote to memory of 964	1164	backup.exe	backup.exe
PID 1164 wrote to memory of 964	1164	backup.exe	backup.exe
PID 1164 wrote to memory of 964	1164	backup.exe	backup.exe
PID 1164 wrote to memory of 964	1164	backup.exe	backup.exe
PID 1432 wrote to memory of 1980	1432	backup.exe	data.exe
PID 1432 wrote to memory of 1980	1432	backup.exe	data.exe
PID 1432 wrote to memory of 1980	1432	backup.exe	data.exe
PID 1432 wrote to memory of 1980	1432	backup.exe	data.exe
PID 1980 wrote to memory of 1972	1980	data.exe	backup.exe
PID 1980 wrote to memory of 1972	1980	data.exe	backup.exe
PID 1980 wrote to memory of 1972	1980	data.exe	backup.exe
PID 1980 wrote to memory of 1972	1980	data.exe	backup.exe
PID 1972 wrote to memory of 580	1972	backup.exe	backup.exe
PID 1972 wrote to memory of 580	1972	backup.exe	backup.exe
PID 1972 wrote to memory of 580	1972	backup.exe	backup.exe
PID 1972 wrote to memory of 580	1972	backup.exe	backup.exe
PID 1980 wrote to memory of 1636	1980	data.exe	backup.exe
PID 1980 wrote to memory of 1636	1980	data.exe	backup.exe
PID 1980 wrote to memory of 1636	1980	data.exe	backup.exe
PID 1980 wrote to memory of 1636	1980	data.exe	backup.exe
PID 1636 wrote to memory of 1704	1636	backup.exe	backup.exe
PID 1636 wrote to memory of 1704	1636	backup.exe	backup.exe
PID 1636 wrote to memory of 1704	1636	backup.exe	backup.exe
PID 1636 wrote to memory of 1704	1636	backup.exe	backup.exe
PID 1704 wrote to memory of 1820	1704	backup.exe	data.exe
PID 1704 wrote to memory of 1820	1704	backup.exe	data.exe
PID 1704 wrote to memory of 1820	1704	backup.exe	data.exe
PID 1704 wrote to memory of 1820	1704	backup.exe	data.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe
"C:\Users\Admin\AppData\Local\Temp\95d287edf2175bd61b377ec5a976a0ba5e8cd053259fef8bce4adabbac898964.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\3070574027\backup.exe
C:\Users\Admin\AppData\Local\Temp\3070574027\backup.exe C:\Users\Admin\AppData\Local\Temp\3070574027\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\backup.exe
\backup.exe \
3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:964

C:\Program Files\data.exe
"C:\Program Files\data.exe" C:\Program Files\
4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1704

C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:888

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- System policy modification
PID:1044

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:856

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:884

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:268

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1616

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:880

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:528

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:860

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1308

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:536

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:664

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:556

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1640

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:568

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:696

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:620

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
PID:1688

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
PID:580

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\data.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
PID:1372

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
- Disables RegEdit via registry modification
PID:860

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1020

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
- Disables RegEdit via registry modification
PID:1832

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
PID:1308

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
PID:2036

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:2008

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
PID:2004

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:1388

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
PID:1764

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:112

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
PID:584

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
PID:1064

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:536

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:516

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Modifies visibility of file extensions in Explorer
PID:572

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:976

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
PID:268

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1640

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1576

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
- System policy modification
PID:1152

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:1264

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
PID:1728

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
PID:1796

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1628

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
8⤵
PID:1256

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
9⤵
PID:1492

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
- System policy modification
PID:1512

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
- Drops file in Program Files directory
PID:772

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
- Disables RegEdit via registry modification
PID:916

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Drops file in Program Files directory
PID:1648

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
PID:1624

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
PID:1596

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
PID:2032

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
PID:944

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
- System policy modification
PID:880

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- Disables RegEdit via registry modification
PID:1688

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:580

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
PID:1372

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
- Disables RegEdit via registry modification
PID:860

C:\Program Files\Common Files\System\es-ES\System Restore.exe
"C:\Program Files\Common Files\System\es-ES\System Restore.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
- System policy modification
PID:1020

C:\Program Files\Common Files\System\fr-FR\backup.exe
"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
- Disables RegEdit via registry modification
PID:1832

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:1848

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2036

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1332

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1696

C:\Program Files\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
PID:2040

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
- Disables RegEdit via registry modification
PID:1764

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
PID:112

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
PID:584

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
- Disables RegEdit via registry modification
PID:1064

C:\Program Files\Common Files\System\Ole DB\backup.exe
"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
PID:536

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
PID:516

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:1932

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:1772

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
PID:568

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
PID:696

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:848

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1400

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
- System policy modification
PID:1704

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1852

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
- System policy modification
PID:1600

C:\Program Files\DVD Maker\fr-FR\System Restore.exe
"C:\Program Files\DVD Maker\fr-FR\System Restore.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
- System policy modification
PID:600

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
PID:1972

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:1688

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1608

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:1020

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
PID:1308

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1748

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1052

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:676

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
PID:1388

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
- Disables RegEdit via registry modification
PID:1732

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
- Disables RegEdit via registry modification
PID:1488

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
PID:1544

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
PID:1436

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
8⤵
PID:1568

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1492

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\System Restore.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
8⤵
- System policy modification
PID:1148

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
8⤵
PID:1600

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
8⤵
PID:600

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
8⤵
PID:944

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
8⤵
PID:1688

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
8⤵
- Disables RegEdit via registry modification
PID:1396

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1820

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\System Restore.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1748

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
8⤵
- Modifies visibility of file extensions in Explorer
PID:740

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:1764

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1644

C:\Program Files\Google\Chrome\Application\System Restore.exe
"C:\Program Files\Google\Chrome\Application\System Restore.exe" C:\Program Files\Google\Chrome\Application\
7⤵
PID:1932

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:568

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
PID:316

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
- Modifies visibility of file extensions in Explorer
PID:696

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
PID:1628

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
PID:1660

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
- Disables RegEdit via registry modification
PID:916

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
PID:1088

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
- System policy modification
PID:1968

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
PID:528

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\System Restore.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
10⤵
PID:2020

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
11⤵
- Disables RegEdit via registry modification
PID:1348

C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1676

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
PID:896

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Drops file in Program Files directory
PID:1696

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:856

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:1400

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
- System policy modification
PID:1384

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:1052

C:\Program Files\Internet Explorer\images\update.exe
"C:\Program Files\Internet Explorer\images\update.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:1680

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
- System policy modification
PID:316

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1648

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:2004

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
- Drops file in Program Files directory
PID:1976

C:\Program Files\Java\jdk1.7.0_80\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
6⤵
- Drops file in Program Files directory
PID:772

C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
7⤵
- Disables RegEdit via registry modification
PID:1956

C:\Program Files\Java\jdk1.7.0_80\db\update.exe
"C:\Program Files\Java\jdk1.7.0_80\db\update.exe" C:\Program Files\Java\jdk1.7.0_80\db\
7⤵
- Disables RegEdit via registry modification
PID:1152

C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
8⤵
PID:888

C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
8⤵
PID:1808

C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
7⤵
PID:980

C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
8⤵
PID:1516

C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
9⤵
- System policy modification
PID:1396

C:\Program Files\Java\jdk1.7.0_80\jre\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:812

C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1936

C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
9⤵
PID:1720

C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1772

C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1160

C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
8⤵
PID:516

C:\Program Files\Java\jdk1.7.0_80\lib\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
7⤵
- Disables RegEdit via registry modification
PID:1624

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
8⤵
- Drops file in Program Files directory
PID:1960

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
9⤵
PID:112

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
9⤵
PID:1196

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
9⤵
PID:1800

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
9⤵
PID:952

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
9⤵
PID:1884

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
8⤵
- Drops file in Program Files directory
PID:380

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
9⤵
PID:1372

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
9⤵
PID:2088

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
9⤵
PID:2224

C:\Program Files\Java\jre7\backup.exe
"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
6⤵
- Drops file in Program Files directory
PID:956

C:\Program Files\Java\jre7\bin\backup.exe
"C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
7⤵
- Disables RegEdit via registry modification
PID:1812

C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
"C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
8⤵
PID:696

C:\Program Files\Java\jre7\bin\plugin2\backup.exe
"C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
8⤵
PID:1432

C:\Program Files\Java\jre7\bin\server\backup.exe
"C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
8⤵
PID:1580

C:\Program Files\Java\jre7\lib\backup.exe
"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
7⤵
PID:1676

C:\Program Files\Microsoft Games\update.exe
"C:\Program Files\Microsoft Games\update.exe" C:\Program Files\Microsoft Games\
5⤵
- Drops file in Program Files directory
PID:1668

C:\Program Files\Microsoft Games\Chess\backup.exe
"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
- System policy modification
PID:884

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
7⤵
PID:1704

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
7⤵
- System policy modification
PID:1884

C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
7⤵
PID:1384

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
7⤵
PID:2032

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
7⤵
PID:1284

C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
7⤵
PID:1832

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:1044

C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
7⤵
PID:1732

C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
7⤵
PID:1512

C:\Program Files\Microsoft Games\FreeCell\es-ES\data.exe
"C:\Program Files\Microsoft Games\FreeCell\es-ES\data.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
7⤵
PID:2068

C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
7⤵
PID:2248

C:\Program Files\Microsoft Games\Hearts\backup.exe
"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
6⤵
PID:740

C:\Program Files\Microsoft Games\Mahjong\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
6⤵
PID:528

C:\Program Files\Microsoft Games\Minesweeper\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
6⤵
PID:1648

C:\Program Files\Microsoft Games\More Games\update.exe
"C:\Program Files\Microsoft Games\More Games\update.exe" C:\Program Files\Microsoft Games\More Games\
6⤵
PID:1356

C:\Program Files\Microsoft Games\Multiplayer\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
6⤵
PID:2104

C:\Program Files\Microsoft Games\Purble Place\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
6⤵
PID:2268

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:1016

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:1568

C:\Program Files\MSBuild\update.exe
"C:\Program Files\MSBuild\update.exe" C:\Program Files\MSBuild\
5⤵
PID:1688

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
PID:1660

C:\Program Files\VideoLAN\backup.exe
"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
5⤵
PID:1656

C:\Program Files\Windows Defender\backup.exe
"C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
5⤵
PID:2184

C:\Program Files\Windows Journal\System Restore.exe
"C:\Program Files\Windows Journal\System Restore.exe" C:\Program Files\Windows Journal\
5⤵
PID:2312

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Drops file in Program Files directory
- System policy modification
PID:1716

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
PID:920

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- System policy modification
PID:1576

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:1336

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Drops file in Program Files directory
PID:1604

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
- System policy modification
PID:1492

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1088

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
PID:2000

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
PID:2020

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:944

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
PID:548

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1372

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
PID:1396

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:1516

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
- Drops file in Program Files directory
PID:2004

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1812

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
10⤵
- System policy modification
PID:1092

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
- Drops file in Program Files directory
PID:1160

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
10⤵
- Drops file in Program Files directory
PID:516

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
PID:1640

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
- Drops file in Program Files directory
PID:1264

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
10⤵
PID:956

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
9⤵
PID:848

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
10⤵
PID:536

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
PID:964

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
PID:1512

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
- Disables RegEdit via registry modification
PID:1968

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
- Modifies visibility of file extensions in Explorer
PID:888

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:1972

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:1624

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
- Modifies visibility of file extensions in Explorer
PID:768

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
PID:1884

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
PID:2036

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
PID:1668

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
PID:968

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
10⤵
- Modifies visibility of file extensions in Explorer
PID:1428

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
11⤵
PID:556

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
PID:1588

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:572

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
9⤵
PID:1152

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
10⤵
PID:1436

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
10⤵
- Drops file in Program Files directory
PID:1252

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
- System policy modification
PID:1868

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
PID:820

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:1956

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
- Modifies visibility of file extensions in Explorer
PID:888

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
PID:2024

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
PID:1964

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1372

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1944

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
- Drops file in Program Files directory
PID:1668

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
- System policy modification
PID:432

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
PID:1616

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
10⤵
PID:520

C:\Program Files (x86)\Common Files\Adobe\Updater6\data.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\data.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
PID:2008

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1588

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
7⤵
- Drops file in Program Files directory
PID:1636

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
8⤵
- System policy modification
PID:884

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:1704

C:\Program Files (x86)\Common Files\microsoft shared\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1868

C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
7⤵
- Disables RegEdit via registry modification
PID:1148

C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:960

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
7⤵
PID:1968

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
8⤵
PID:600

C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
7⤵
PID:1776

C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
7⤵
PID:920

C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1108

C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
7⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1624

C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
8⤵
- System policy modification
PID:268

C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
8⤵
PID:840

C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
8⤵
- Disables RegEdit via registry modification
PID:664

C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
8⤵
- Modifies visibility of file extensions in Explorer
PID:676

C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
8⤵
- Disables RegEdit via registry modification
PID:1196

C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
8⤵
- System policy modification
PID:2008

C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
8⤵
- System policy modification
PID:1796

C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
8⤵
- Disables RegEdit via registry modification
PID:316

C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
8⤵
PID:928

C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
8⤵
- System policy modification
PID:1648

C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
8⤵
PID:884

C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1852

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
8⤵
PID:2004

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
8⤵
- Disables RegEdit via registry modification
PID:2000

C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
8⤵
PID:1600

C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:572

C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
8⤵
PID:960

C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
PID:1656

C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
8⤵
PID:1992

C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:888

C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
7⤵
PID:528

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
8⤵
PID:1732

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
7⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1296

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
PID:664

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
8⤵
PID:1668

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
8⤵
- System policy modification
PID:1128

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
8⤵
PID:848

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
8⤵
PID:1660

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
8⤵
PID:2004

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
7⤵
- System policy modification
PID:1800

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
8⤵
PID:1336

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
8⤵
PID:1576

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
8⤵
- Drops file in Program Files directory
PID:888

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
9⤵
PID:1892

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
9⤵
PID:1308

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
9⤵
- Modifies visibility of file extensions in Explorer
PID:960

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
9⤵
PID:768

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
9⤵
PID:1640

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
9⤵
PID:2044

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
9⤵
PID:920

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
9⤵
PID:1148

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
9⤵
PID:1932

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
9⤵
PID:2156

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
9⤵
PID:2320

C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
- Modifies visibility of file extensions in Explorer
PID:944

C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
7⤵
- System policy modification
PID:1748

C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
8⤵
PID:1492

C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
7⤵
PID:1696

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
7⤵
PID:1636

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
7⤵
PID:896

C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
7⤵
PID:1892

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
7⤵
PID:2080

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
7⤵
PID:2232

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:1196

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
6⤵
PID:1296

C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
7⤵
PID:820

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
- Drops file in Program Files directory
PID:1336

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:1152

C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
8⤵
PID:2020

C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
8⤵
PID:944

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
8⤵
PID:2060

C:\Program Files (x86)\Common Files\System\ado\fr-FR\System Restore.exe
"C:\Program Files (x86)\Common Files\System\ado\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
8⤵
PID:2240

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
7⤵
PID:980

C:\Program Files (x86)\Common Files\System\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
7⤵
PID:1992

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
7⤵
PID:948

C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
7⤵
PID:1752

C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
7⤵
PID:2148

C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
7⤵
PID:2328

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
PID:968

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
- System policy modification
PID:536

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
PID:580

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1944

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
PID:1088

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:1808

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:1428

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:2024

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
5⤵
PID:1628

C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
"C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
5⤵
PID:520

C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
5⤵
PID:2120

C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
"C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
5⤵
PID:2260

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Modifies visibility of file extensions in Explorer
PID:1252

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
PID:536

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Disables RegEdit via registry modification
PID:1776

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
- System policy modification
PID:2020

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1268

C:\Users\Admin\Downloads\data.exe
C:\Users\Admin\Downloads\data.exe C:\Users\Admin\Downloads\
6⤵
PID:1644

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:1396

C:\Users\Admin\Links\System Restore.exe
"C:\Users\Admin\Links\System Restore.exe" C:\Users\Admin\Links\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:840

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:2036

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:1160

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
- System policy modification
PID:1488

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
- System policy modification
PID:620

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1624

C:\Users\Public\update.exe
C:\Users\Public\update.exe C:\Users\Public\
5⤵
PID:1672

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
- System policy modification
PID:2000

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:2032

C:\Users\Public\Music\update.exe
C:\Users\Public\Music\update.exe C:\Users\Public\Music\
6⤵
PID:1596

C:\Users\Public\Music\Sample Music\backup.exe
"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
7⤵
PID:580

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:1852

C:\Users\Public\Pictures\Sample Pictures\backup.exe
"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
7⤵
PID:2040

C:\Users\Public\Recorded TV\backup.exe
"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
6⤵
PID:1092

C:\Users\Public\Recorded TV\Sample Media\System Restore.exe
"C:\Users\Public\Recorded TV\Sample Media\System Restore.exe" C:\Users\Public\Recorded TV\Sample Media\
7⤵
- Disables RegEdit via registry modification
PID:568

C:\Users\Public\Videos\data.exe
C:\Users\Public\Videos\data.exe C:\Users\Public\Videos\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1044

C:\Users\Public\Videos\Sample Videos\backup.exe
"C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
7⤵
PID:432

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Windows directory
PID:1388

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1544

C:\Windows\AppCompat\backup.exe
C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1488

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
- Drops file in Windows directory
PID:1728

C:\Windows\AppPatch\AppPatch64\backup.exe
C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1596

C:\Windows\AppPatch\Custom\backup.exe
C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
6⤵
PID:1720

C:\Windows\AppPatch\de-DE\backup.exe
C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
6⤵
PID:460

C:\Windows\AppPatch\en-US\backup.exe
C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
6⤵
PID:1596

C:\Windows\AppPatch\es-ES\backup.exe
C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
6⤵
PID:1644

C:\Windows\AppPatch\fr-FR\backup.exe
C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
6⤵
PID:2192

C:\Windows\AppPatch\it-IT\backup.exe
C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
6⤵
PID:2336

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
- Drops file in Windows directory
PID:1264

C:\Windows\assembly\GAC\backup.exe
C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
6⤵
PID:2164

C:\Windows\assembly\GAC_32\backup.exe
C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
6⤵
PID:2296

C:\Windows\Branding\backup.exe
C:\Windows\Branding\backup.exe C:\Windows\Branding\
5⤵
PID:1968

C:\Windows\CSC\backup.exe
C:\Windows\CSC\backup.exe C:\Windows\CSC\
5⤵
PID:1704

C:\Windows\Cursors\backup.exe
C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
5⤵
PID:1796

C:\Windows\debug\backup.exe
C:\Windows\debug\backup.exe C:\Windows\debug\
5⤵
PID:1724

C:\Windows\de-DE\backup.exe
C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
5⤵
PID:2112

C:\Windows\DigitalLocker\backup.exe
C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
5⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:560

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8c9a6ac236dfe81f704483f976c34eb4

SHA1
ebbc29b0935abc3b7779e19019c82c79072db23e

SHA256
6ebcbc2971dfaace8843cc594c14db96b93b3221b7e106758217509069e6227c

SHA512
2807d2072966f6209c0fa0d3ce9d19691df07e7233cff95a731db5d4eec571dc1dd16d9e85953c4fbe1bb6e1e71d3afc3a3c8dcbd3740e68c0f06abb55636840

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f9f908305108c7779f8f2e605a381420

SHA1
8e52e3bd44ec594d233348ce9e8e3f88ac9413b2

SHA256
cc180b2a8d9fe0bee0b6fa626413909d98c8bdae54f258ff774ac355f6c7fbd3

SHA512
bc55cd50038386c317a4c787aff594261a72de6e04690311db200cec0740860b24834fe2d29f09355367bf36076e00ec513a78ad4cc3dcd42dfe3f8c2d057deb

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
f9f908305108c7779f8f2e605a381420

SHA1
8e52e3bd44ec594d233348ce9e8e3f88ac9413b2

SHA256
cc180b2a8d9fe0bee0b6fa626413909d98c8bdae54f258ff774ac355f6c7fbd3

SHA512
bc55cd50038386c317a4c787aff594261a72de6e04690311db200cec0740860b24834fe2d29f09355367bf36076e00ec513a78ad4cc3dcd42dfe3f8c2d057deb

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
2ebd60a4b23fb1dbda8e5ea3c1e51b77

SHA1
516c1f03771a74b002bfc9a24cd0ab7b6f608acd

SHA256
601418edcb67ccd22c4351d5b8d5410d8af0f688e21b3cbaf0e599b59b1dd298

SHA512
c2800509941bad963d9e4a2faef2a25a44234eb8efd735f5d45f5032d0a60e38b74f20ddb7e76462d2b8a908ace13007b01ad7e705b81e00c484fc5f0a3ca08a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
16321a6cd7e2b5f48a7dcc421e3661ca

SHA1
376f71d025d63ee4c53063574fd34a04440f066f

SHA256
632ed29e11a62e9e8dc71186c97feb9c38f1f79137dd9f3a468bf18e5c7310fe

SHA512
50ca0db2b232afa2ca3f28d7d0a85d6751d6e37f9d72b0c13a30f3be61483487a5f7744f0df4e06225ba804b87ec1726798fd598060398269fc6c8737726e7c5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2ebd60a4b23fb1dbda8e5ea3c1e51b77

SHA1
516c1f03771a74b002bfc9a24cd0ab7b6f608acd

SHA256
601418edcb67ccd22c4351d5b8d5410d8af0f688e21b3cbaf0e599b59b1dd298

SHA512
c2800509941bad963d9e4a2faef2a25a44234eb8efd735f5d45f5032d0a60e38b74f20ddb7e76462d2b8a908ace13007b01ad7e705b81e00c484fc5f0a3ca08a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2ebd60a4b23fb1dbda8e5ea3c1e51b77

SHA1
516c1f03771a74b002bfc9a24cd0ab7b6f608acd

SHA256
601418edcb67ccd22c4351d5b8d5410d8af0f688e21b3cbaf0e599b59b1dd298

SHA512
c2800509941bad963d9e4a2faef2a25a44234eb8efd735f5d45f5032d0a60e38b74f20ddb7e76462d2b8a908ace13007b01ad7e705b81e00c484fc5f0a3ca08a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
c033fe7b6cf8147231b9e88930b01548

SHA1
0dd2e09ab8c64e2b1fece1c68450512cb266e9af

SHA256
2efab55893174afb46775f2b57deb05e0f79955a8a4837ee7d982cf80e46d73a

SHA512
6717a49b8f59b8c637d9c1cfe3597bd1b7de12edd52d4e4820f1a7b2e9c2397c6e047448ce21c74d7b242c2db2ba62095e035dc9c51c17993bfe5ea71be5e7a0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fe0686953b5ed7aba1bbc3d7c2eb65f0

SHA1
51dcd2625b01c3d6064c34d215f19f75373c9ef4

SHA256
611591b0a35b15d96802f74c10aa513961598e42a14b2a8623171db88a1cee07

SHA512
70abac5032de9d5caeb97328fbef0185020013290f5930559fda89b7d9a8c8bc99002b814ae784fd576265eabc478cacfb185dd42326bcdc466c000c27a6a3aa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fe0686953b5ed7aba1bbc3d7c2eb65f0

SHA1
51dcd2625b01c3d6064c34d215f19f75373c9ef4

SHA256
611591b0a35b15d96802f74c10aa513961598e42a14b2a8623171db88a1cee07

SHA512
70abac5032de9d5caeb97328fbef0185020013290f5930559fda89b7d9a8c8bc99002b814ae784fd576265eabc478cacfb185dd42326bcdc466c000c27a6a3aa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
c033fe7b6cf8147231b9e88930b01548

SHA1
0dd2e09ab8c64e2b1fece1c68450512cb266e9af

SHA256
2efab55893174afb46775f2b57deb05e0f79955a8a4837ee7d982cf80e46d73a

SHA512
6717a49b8f59b8c637d9c1cfe3597bd1b7de12edd52d4e4820f1a7b2e9c2397c6e047448ce21c74d7b242c2db2ba62095e035dc9c51c17993bfe5ea71be5e7a0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
8b22d6a3f5e5569e3e34b4626e5e5379

SHA1
e817d3b1101280f2daaaeef5a27e0bc2b3f366ec

SHA256
edc0594469db1733853a64bcbe01222620620eb8f8def61d57467d8ec8729ba0

SHA512
f362a015b5c6707c2dd94b3b1cc9d2236d210b6b534928ed59d7af127989de3ad2008f40461982c7e04de1d968292afd3eb7c5172b766341239b2b283f1efee2

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
8b22d6a3f5e5569e3e34b4626e5e5379

SHA1
e817d3b1101280f2daaaeef5a27e0bc2b3f366ec

SHA256
edc0594469db1733853a64bcbe01222620620eb8f8def61d57467d8ec8729ba0

SHA512
f362a015b5c6707c2dd94b3b1cc9d2236d210b6b534928ed59d7af127989de3ad2008f40461982c7e04de1d968292afd3eb7c5172b766341239b2b283f1efee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3070574027\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
C:\Users\Admin\AppData\Local\Temp\3070574027\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c934c13c49c8ce1279959ef8cecaf48b

SHA1
7b21ac38bf39f23232227190a1b1abc2b7ca82c0

SHA256
76ea2df69b84581a82532604d002467c3d2a4df280ef8beca7762a044621d1c0

SHA512
7df8714108f974afe3e02c09efb0e52577e5e924d23e5efcbc3d49abdc6e2187515c15d5a28c9067ee990f7af6ead552279d229c09b97cd1d10a4adccab79d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c934c13c49c8ce1279959ef8cecaf48b

SHA1
7b21ac38bf39f23232227190a1b1abc2b7ca82c0

SHA256
76ea2df69b84581a82532604d002467c3d2a4df280ef8beca7762a044621d1c0

SHA512
7df8714108f974afe3e02c09efb0e52577e5e924d23e5efcbc3d49abdc6e2187515c15d5a28c9067ee990f7af6ead552279d229c09b97cd1d10a4adccab79d24

Download Submit
C:\backup.exe

Filesize
72KB

MD5
62b01c180199594f9921dddf681bb292

SHA1
1af5f95f760bf4171ebb14e96a980335da6c6211

SHA256
06f786866c9d08b9378220b831c89d12495c7ebf2d7a332eff7ad693e24cd63d

SHA512
6d2d8dbd86de95976e044fb5464eb5171e3c69aa3b646ea2cc9206bdc617c41dea0f82bfcfdd8b22723e4949494d12f6fff7b6648c2065edbac4c743f5f1c637

Download Submit
C:\backup.exe

Filesize
72KB

MD5
62b01c180199594f9921dddf681bb292

SHA1
1af5f95f760bf4171ebb14e96a980335da6c6211

SHA256
06f786866c9d08b9378220b831c89d12495c7ebf2d7a332eff7ad693e24cd63d

SHA512
6d2d8dbd86de95976e044fb5464eb5171e3c69aa3b646ea2cc9206bdc617c41dea0f82bfcfdd8b22723e4949494d12f6fff7b6648c2065edbac4c743f5f1c637

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8c9a6ac236dfe81f704483f976c34eb4

SHA1
ebbc29b0935abc3b7779e19019c82c79072db23e

SHA256
6ebcbc2971dfaace8843cc594c14db96b93b3221b7e106758217509069e6227c

SHA512
2807d2072966f6209c0fa0d3ce9d19691df07e7233cff95a731db5d4eec571dc1dd16d9e85953c4fbe1bb6e1e71d3afc3a3c8dcbd3740e68c0f06abb55636840

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
8c9a6ac236dfe81f704483f976c34eb4

SHA1
ebbc29b0935abc3b7779e19019c82c79072db23e

SHA256
6ebcbc2971dfaace8843cc594c14db96b93b3221b7e106758217509069e6227c

SHA512
2807d2072966f6209c0fa0d3ce9d19691df07e7233cff95a731db5d4eec571dc1dd16d9e85953c4fbe1bb6e1e71d3afc3a3c8dcbd3740e68c0f06abb55636840

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f9f908305108c7779f8f2e605a381420

SHA1
8e52e3bd44ec594d233348ce9e8e3f88ac9413b2

SHA256
cc180b2a8d9fe0bee0b6fa626413909d98c8bdae54f258ff774ac355f6c7fbd3

SHA512
bc55cd50038386c317a4c787aff594261a72de6e04690311db200cec0740860b24834fe2d29f09355367bf36076e00ec513a78ad4cc3dcd42dfe3f8c2d057deb

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
f9f908305108c7779f8f2e605a381420

SHA1
8e52e3bd44ec594d233348ce9e8e3f88ac9413b2

SHA256
cc180b2a8d9fe0bee0b6fa626413909d98c8bdae54f258ff774ac355f6c7fbd3

SHA512
bc55cd50038386c317a4c787aff594261a72de6e04690311db200cec0740860b24834fe2d29f09355367bf36076e00ec513a78ad4cc3dcd42dfe3f8c2d057deb

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
2ebd60a4b23fb1dbda8e5ea3c1e51b77

SHA1
516c1f03771a74b002bfc9a24cd0ab7b6f608acd

SHA256
601418edcb67ccd22c4351d5b8d5410d8af0f688e21b3cbaf0e599b59b1dd298

SHA512
c2800509941bad963d9e4a2faef2a25a44234eb8efd735f5d45f5032d0a60e38b74f20ddb7e76462d2b8a908ace13007b01ad7e705b81e00c484fc5f0a3ca08a

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
2ebd60a4b23fb1dbda8e5ea3c1e51b77

SHA1
516c1f03771a74b002bfc9a24cd0ab7b6f608acd

SHA256
601418edcb67ccd22c4351d5b8d5410d8af0f688e21b3cbaf0e599b59b1dd298

SHA512
c2800509941bad963d9e4a2faef2a25a44234eb8efd735f5d45f5032d0a60e38b74f20ddb7e76462d2b8a908ace13007b01ad7e705b81e00c484fc5f0a3ca08a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
16321a6cd7e2b5f48a7dcc421e3661ca

SHA1
376f71d025d63ee4c53063574fd34a04440f066f

SHA256
632ed29e11a62e9e8dc71186c97feb9c38f1f79137dd9f3a468bf18e5c7310fe

SHA512
50ca0db2b232afa2ca3f28d7d0a85d6751d6e37f9d72b0c13a30f3be61483487a5f7744f0df4e06225ba804b87ec1726798fd598060398269fc6c8737726e7c5

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\data.exe

Filesize
72KB

MD5
16321a6cd7e2b5f48a7dcc421e3661ca

SHA1
376f71d025d63ee4c53063574fd34a04440f066f

SHA256
632ed29e11a62e9e8dc71186c97feb9c38f1f79137dd9f3a468bf18e5c7310fe

SHA512
50ca0db2b232afa2ca3f28d7d0a85d6751d6e37f9d72b0c13a30f3be61483487a5f7744f0df4e06225ba804b87ec1726798fd598060398269fc6c8737726e7c5

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2ebd60a4b23fb1dbda8e5ea3c1e51b77

SHA1
516c1f03771a74b002bfc9a24cd0ab7b6f608acd

SHA256
601418edcb67ccd22c4351d5b8d5410d8af0f688e21b3cbaf0e599b59b1dd298

SHA512
c2800509941bad963d9e4a2faef2a25a44234eb8efd735f5d45f5032d0a60e38b74f20ddb7e76462d2b8a908ace13007b01ad7e705b81e00c484fc5f0a3ca08a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
2ebd60a4b23fb1dbda8e5ea3c1e51b77

SHA1
516c1f03771a74b002bfc9a24cd0ab7b6f608acd

SHA256
601418edcb67ccd22c4351d5b8d5410d8af0f688e21b3cbaf0e599b59b1dd298

SHA512
c2800509941bad963d9e4a2faef2a25a44234eb8efd735f5d45f5032d0a60e38b74f20ddb7e76462d2b8a908ace13007b01ad7e705b81e00c484fc5f0a3ca08a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
c033fe7b6cf8147231b9e88930b01548

SHA1
0dd2e09ab8c64e2b1fece1c68450512cb266e9af

SHA256
2efab55893174afb46775f2b57deb05e0f79955a8a4837ee7d982cf80e46d73a

SHA512
6717a49b8f59b8c637d9c1cfe3597bd1b7de12edd52d4e4820f1a7b2e9c2397c6e047448ce21c74d7b242c2db2ba62095e035dc9c51c17993bfe5ea71be5e7a0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
c033fe7b6cf8147231b9e88930b01548

SHA1
0dd2e09ab8c64e2b1fece1c68450512cb266e9af

SHA256
2efab55893174afb46775f2b57deb05e0f79955a8a4837ee7d982cf80e46d73a

SHA512
6717a49b8f59b8c637d9c1cfe3597bd1b7de12edd52d4e4820f1a7b2e9c2397c6e047448ce21c74d7b242c2db2ba62095e035dc9c51c17993bfe5ea71be5e7a0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fe0686953b5ed7aba1bbc3d7c2eb65f0

SHA1
51dcd2625b01c3d6064c34d215f19f75373c9ef4

SHA256
611591b0a35b15d96802f74c10aa513961598e42a14b2a8623171db88a1cee07

SHA512
70abac5032de9d5caeb97328fbef0185020013290f5930559fda89b7d9a8c8bc99002b814ae784fd576265eabc478cacfb185dd42326bcdc466c000c27a6a3aa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
fe0686953b5ed7aba1bbc3d7c2eb65f0

SHA1
51dcd2625b01c3d6064c34d215f19f75373c9ef4

SHA256
611591b0a35b15d96802f74c10aa513961598e42a14b2a8623171db88a1cee07

SHA512
70abac5032de9d5caeb97328fbef0185020013290f5930559fda89b7d9a8c8bc99002b814ae784fd576265eabc478cacfb185dd42326bcdc466c000c27a6a3aa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
c033fe7b6cf8147231b9e88930b01548

SHA1
0dd2e09ab8c64e2b1fece1c68450512cb266e9af

SHA256
2efab55893174afb46775f2b57deb05e0f79955a8a4837ee7d982cf80e46d73a

SHA512
6717a49b8f59b8c637d9c1cfe3597bd1b7de12edd52d4e4820f1a7b2e9c2397c6e047448ce21c74d7b242c2db2ba62095e035dc9c51c17993bfe5ea71be5e7a0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
c033fe7b6cf8147231b9e88930b01548

SHA1
0dd2e09ab8c64e2b1fece1c68450512cb266e9af

SHA256
2efab55893174afb46775f2b57deb05e0f79955a8a4837ee7d982cf80e46d73a

SHA512
6717a49b8f59b8c637d9c1cfe3597bd1b7de12edd52d4e4820f1a7b2e9c2397c6e047448ce21c74d7b242c2db2ba62095e035dc9c51c17993bfe5ea71be5e7a0

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
c033fe7b6cf8147231b9e88930b01548

SHA1
0dd2e09ab8c64e2b1fece1c68450512cb266e9af

SHA256
2efab55893174afb46775f2b57deb05e0f79955a8a4837ee7d982cf80e46d73a

SHA512
6717a49b8f59b8c637d9c1cfe3597bd1b7de12edd52d4e4820f1a7b2e9c2397c6e047448ce21c74d7b242c2db2ba62095e035dc9c51c17993bfe5ea71be5e7a0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
767e1c3ceeff0b59db89a1ec81e837f5

SHA1
5db3aea230efefcc5019d3fff83767aecb071065

SHA256
767b29cf14fbcfc7e98c7e3a404938ce5807ea1d3fa93698fa2bcdee441d970f

SHA512
1674c8f50c90cab00a0273082e9ea110dbddfeb4e04dcaac54d329a6252cd17dcccbdbf9acb2b6ab3fd3a9ac1941b97065627c49abea819e6bf301c6fc1d00c9

Download Submit
\Program Files\data.exe

Filesize
72KB

MD5
8b22d6a3f5e5569e3e34b4626e5e5379

SHA1
e817d3b1101280f2daaaeef5a27e0bc2b3f366ec

SHA256
edc0594469db1733853a64bcbe01222620620eb8f8def61d57467d8ec8729ba0

SHA512
f362a015b5c6707c2dd94b3b1cc9d2236d210b6b534928ed59d7af127989de3ad2008f40461982c7e04de1d968292afd3eb7c5172b766341239b2b283f1efee2

Download Submit
\Program Files\data.exe

Filesize
72KB

MD5
8b22d6a3f5e5569e3e34b4626e5e5379

SHA1
e817d3b1101280f2daaaeef5a27e0bc2b3f366ec

SHA256
edc0594469db1733853a64bcbe01222620620eb8f8def61d57467d8ec8729ba0

SHA512
f362a015b5c6707c2dd94b3b1cc9d2236d210b6b534928ed59d7af127989de3ad2008f40461982c7e04de1d968292afd3eb7c5172b766341239b2b283f1efee2

Download Submit
\Users\Admin\AppData\Local\Temp\3070574027\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\3070574027\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c934c13c49c8ce1279959ef8cecaf48b

SHA1
7b21ac38bf39f23232227190a1b1abc2b7ca82c0

SHA256
76ea2df69b84581a82532604d002467c3d2a4df280ef8beca7762a044621d1c0

SHA512
7df8714108f974afe3e02c09efb0e52577e5e924d23e5efcbc3d49abdc6e2187515c15d5a28c9067ee990f7af6ead552279d229c09b97cd1d10a4adccab79d24

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c934c13c49c8ce1279959ef8cecaf48b

SHA1
7b21ac38bf39f23232227190a1b1abc2b7ca82c0

SHA256
76ea2df69b84581a82532604d002467c3d2a4df280ef8beca7762a044621d1c0

SHA512
7df8714108f974afe3e02c09efb0e52577e5e924d23e5efcbc3d49abdc6e2187515c15d5a28c9067ee990f7af6ead552279d229c09b97cd1d10a4adccab79d24

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
339f27baeacbbaf35ae99fede40b16fa

SHA1
0581919829ff322fe412dfee6916b16786aa0ee0

SHA256
84b866852a6f0e646de666b26de5d25c112dc47d36f122f97c2debda79a66aac

SHA512
b14ed1f95160fa2777e83a5eabb384ce7be5db89c4fa3cad4cdf59a288e99192ea2d2a4abfdc2a48b4027e02e9b855ba5b9395c90c2b2f18e6385c83083eca76

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c934c13c49c8ce1279959ef8cecaf48b

SHA1
7b21ac38bf39f23232227190a1b1abc2b7ca82c0

SHA256
76ea2df69b84581a82532604d002467c3d2a4df280ef8beca7762a044621d1c0

SHA512
7df8714108f974afe3e02c09efb0e52577e5e924d23e5efcbc3d49abdc6e2187515c15d5a28c9067ee990f7af6ead552279d229c09b97cd1d10a4adccab79d24

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
c934c13c49c8ce1279959ef8cecaf48b

SHA1
7b21ac38bf39f23232227190a1b1abc2b7ca82c0

SHA256
76ea2df69b84581a82532604d002467c3d2a4df280ef8beca7762a044621d1c0

SHA512
7df8714108f974afe3e02c09efb0e52577e5e924d23e5efcbc3d49abdc6e2187515c15d5a28c9067ee990f7af6ead552279d229c09b97cd1d10a4adccab79d24

Download Submit
memory/268-189-0x0000000000000000-mapping.dmp

Download
memory/528-236-0x0000000000000000-mapping.dmp

Download
memory/536-268-0x0000000000000000-mapping.dmp

Download
memory/556-274-0x0000000000000000-mapping.dmp

Download
memory/560-82-0x0000000000000000-mapping.dmp

Download
memory/568-286-0x0000000000000000-mapping.dmp

Download
memory/580-135-0x0000000000000000-mapping.dmp

Download
memory/620-301-0x0000000000000000-mapping.dmp

Download
memory/664-271-0x0000000000000000-mapping.dmp

Download
memory/696-292-0x0000000000000000-mapping.dmp

Download
memory/812-319-0x0000000000000000-mapping.dmp

Download
memory/856-180-0x0000000000000000-mapping.dmp

Download
memory/860-240-0x0000000000000000-mapping.dmp

Download
memory/880-232-0x0000000000000000-mapping.dmp

Download
memory/884-183-0x0000000000000000-mapping.dmp

Download
memory/888-161-0x0000000000000000-mapping.dmp

Download
memory/964-115-0x0000000000000000-mapping.dmp

Download
memory/972-192-0x0000000000000000-mapping.dmp

Download
memory/1016-94-0x0000000000000000-mapping.dmp

Download
memory/1044-168-0x0000000000000000-mapping.dmp

Download
memory/1064-177-0x0000000000000000-mapping.dmp

Download
memory/1092-64-0x0000000000000000-mapping.dmp

Download
memory/1108-76-0x0000000000000000-mapping.dmp

Download
memory/1144-259-0x0000000000000000-mapping.dmp

Download
memory/1164-108-0x0000000000000000-mapping.dmp

Download
memory/1168-70-0x0000000000000000-mapping.dmp

Download
memory/1196-172-0x0000000000000000-mapping.dmp

Download
memory/1236-265-0x0000000000000000-mapping.dmp

Download
memory/1284-298-0x0000000000000000-mapping.dmp

Download
memory/1308-247-0x0000000000000000-mapping.dmp

Download
memory/1316-58-0x0000000000000000-mapping.dmp

Download
memory/1336-201-0x0000000000000000-mapping.dmp

Download
memory/1388-256-0x0000000000000000-mapping.dmp

Download
memory/1432-100-0x0000000000000000-mapping.dmp

Download
memory/1436-212-0x0000000000000000-mapping.dmp

Download
memory/1516-250-0x0000000000000000-mapping.dmp

Download
memory/1576-283-0x0000000000000000-mapping.dmp

Download
memory/1580-198-0x0000000000000000-mapping.dmp

Download
memory/1596-224-0x0000000000000000-mapping.dmp

Download
memory/1616-204-0x0000000000000000-mapping.dmp

Download
memory/1624-220-0x0000000000000000-mapping.dmp

Download
memory/1628-295-0x0000000000000000-mapping.dmp

Download
memory/1636-141-0x0000000000000000-mapping.dmp

Download
memory/1640-280-0x0000000000000000-mapping.dmp

Download
memory/1648-216-0x0000000000000000-mapping.dmp

Download
memory/1648-307-0x0000000000000000-mapping.dmp

Download
memory/1680-289-0x0000000000000000-mapping.dmp

Download
memory/1704-148-0x0000000000000000-mapping.dmp

Download
memory/1716-186-0x0000000000000000-mapping.dmp

Download
memory/1720-195-0x0000000000000000-mapping.dmp

Download
memory/1720-88-0x0000000000000000-mapping.dmp

Download
memory/1760-98-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1760-105-0x0000000073FA1000-0x0000000073FA3000-memory.dmp

Filesize
8KB

Download
memory/1812-262-0x0000000000000000-mapping.dmp

Download
memory/1820-155-0x0000000000000000-mapping.dmp

Download
memory/1820-253-0x0000000000000000-mapping.dmp

Download
memory/1892-316-0x0000000000000000-mapping.dmp

Download
memory/1932-277-0x0000000000000000-mapping.dmp

Download
memory/1944-244-0x0000000000000000-mapping.dmp

Download
memory/1968-228-0x0000000000000000-mapping.dmp

Download
memory/1972-128-0x0000000000000000-mapping.dmp

Download
memory/1976-313-0x0000000000000000-mapping.dmp

Download
memory/1980-121-0x0000000000000000-mapping.dmp

Download
memory/2012-304-0x0000000000000000-mapping.dmp

Download
memory/2024-310-0x0000000000000000-mapping.dmp

Download
memory/2028-208-0x0000000000000000-mapping.dmp

Download