c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b

Analysis

max time kernel
141s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
Size

72KB
MD5

483514c227bd90b53486cfbdab901730
SHA1

dee9c169735700f1f61bc66743fd6dfd2be5eff3
SHA256

c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b
SHA512

dac7b4596e2cd7d297b3c167f14c20dd0da662af4e8079f1bb2c03eb5e89d3c7d2afe6e17932140893727a90fd6429eb71c24f129c622ff8ba75a3ff3f0a0181
SSDEEP

768:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr3nO:ieTce/U/hKYuKXO

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exeupdate.exedata.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1656	backup.exe
952	backup.exe
1076	update.exe
2012	backup.exe
1492	backup.exe
564	backup.exe
1416	backup.exe
1364	backup.exe
1004	data.exe
1908	backup.exe
1216	backup.exe
1808	backup.exe
1664	backup.exe
472	backup.exe
1388	backup.exe
1260	backup.exe
856	backup.exe
964	backup.exe
1712	backup.exe
2040	backup.exe
1984	backup.exe
1992	backup.exe
836	update.exe
1180	backup.exe
1068	backup.exe
1680	backup.exe
1508	backup.exe
864	backup.exe
1372	backup.exe
1760	backup.exe
1592	backup.exe
1692	backup.exe
1908	backup.exe
696	backup.exe
1292	backup.exe
1472	backup.exe
1036	backup.exe
1452	backup.exe
764	backup.exe
1812	backup.exe
924	System Restore.exe
1780	backup.exe
956	backup.exe
1120	backup.exe
952	backup.exe
2036	backup.exe
2000	backup.exe
2012	backup.exe
1764	backup.exe
320	backup.exe
836	backup.exe
1180	backup.exe
1696	backup.exe
1416	backup.exe
780	backup.exe
1228	backup.exe
1824	update.exe
1092	System Restore.exe
868	backup.exe
1644	backup.exe
1096	backup.exe
1652	backup.exe
1420	backup.exe
1808	backup.exe

Loads dropped DLL 64 IoCs

Processes:

c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exeupdate.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exe

pid	process
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1076	update.exe
1076	update.exe
1076	update.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1364	backup.exe
1364	backup.exe
1004	data.exe
1004	data.exe
1364	backup.exe
1364	backup.exe
1216	backup.exe
1216	backup.exe
1808	backup.exe
1808	backup.exe
1216	backup.exe
1216	backup.exe
472	backup.exe
472	backup.exe
1388	backup.exe
1388	backup.exe
1388	backup.exe
1388	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
836	update.exe
836	update.exe
836	update.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe
1372	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exeupdate.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe

Drops file in Windows directory 2 IoCs

Processes:

backup.exeSystem Restore.exe

description	ioc	process
File opened for modification	C:\Windows\System Restore.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe

pid process

1520 c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
1656	backup.exe
952	backup.exe
1076	update.exe
2012	backup.exe
1492	backup.exe
564	backup.exe
1416	backup.exe
1364	backup.exe
1004	data.exe
1908	backup.exe
1216	backup.exe
1808	backup.exe
1664	backup.exe
472	backup.exe
1388	backup.exe
1260	backup.exe
856	backup.exe
964	backup.exe
1712	backup.exe
2040	backup.exe
1984	backup.exe
1992	backup.exe
836	update.exe
1180	backup.exe
1068	backup.exe
1680	backup.exe
1508	backup.exe
864	backup.exe
1372	backup.exe
1760	backup.exe
1592	backup.exe
1692	backup.exe
1908	backup.exe
696	backup.exe
1292	backup.exe
1472	backup.exe
1036	backup.exe
1452	backup.exe
764	backup.exe
1812	backup.exe
924	System Restore.exe
1780	backup.exe
956	backup.exe
1120	backup.exe
952	backup.exe
2036	backup.exe
2000	backup.exe
2012	backup.exe
1764	backup.exe
320	backup.exe
836	backup.exe
1180	backup.exe
1696	backup.exe
1416	backup.exe
780	backup.exe
1228	backup.exe
1824	update.exe
1092	System Restore.exe
868	backup.exe
1644	backup.exe
1096	backup.exe
1652	backup.exe
1420	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 1520 wrote to memory of 1656	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1656	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1656	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1656	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 952	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 952	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 952	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 952	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1076	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	update.exe
PID 1520 wrote to memory of 1076	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	update.exe
PID 1520 wrote to memory of 1076	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	update.exe
PID 1520 wrote to memory of 1076	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	update.exe
PID 1520 wrote to memory of 1076	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	update.exe
PID 1520 wrote to memory of 1076	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	update.exe
PID 1520 wrote to memory of 1076	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	update.exe
PID 1520 wrote to memory of 2012	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 2012	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 2012	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 2012	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1492	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1492	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1492	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1492	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 564	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 564	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 564	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 564	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1416	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1416	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1416	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1520 wrote to memory of 1416	1520	c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe	backup.exe
PID 1656 wrote to memory of 1364	1656	backup.exe	backup.exe
PID 1656 wrote to memory of 1364	1656	backup.exe	backup.exe
PID 1656 wrote to memory of 1364	1656	backup.exe	backup.exe
PID 1656 wrote to memory of 1364	1656	backup.exe	backup.exe
PID 1364 wrote to memory of 1004	1364	backup.exe	data.exe
PID 1364 wrote to memory of 1004	1364	backup.exe	data.exe
PID 1364 wrote to memory of 1004	1364	backup.exe	data.exe
PID 1364 wrote to memory of 1004	1364	backup.exe	data.exe
PID 1004 wrote to memory of 1908	1004	data.exe	backup.exe
PID 1004 wrote to memory of 1908	1004	data.exe	backup.exe
PID 1004 wrote to memory of 1908	1004	data.exe	backup.exe
PID 1004 wrote to memory of 1908	1004	data.exe	backup.exe
PID 1364 wrote to memory of 1216	1364	backup.exe	backup.exe
PID 1364 wrote to memory of 1216	1364	backup.exe	backup.exe
PID 1364 wrote to memory of 1216	1364	backup.exe	backup.exe
PID 1364 wrote to memory of 1216	1364	backup.exe	backup.exe
PID 1216 wrote to memory of 1808	1216	backup.exe	backup.exe
PID 1216 wrote to memory of 1808	1216	backup.exe	backup.exe
PID 1216 wrote to memory of 1808	1216	backup.exe	backup.exe
PID 1216 wrote to memory of 1808	1216	backup.exe	backup.exe
PID 1808 wrote to memory of 1664	1808	backup.exe	backup.exe
PID 1808 wrote to memory of 1664	1808	backup.exe	backup.exe
PID 1808 wrote to memory of 1664	1808	backup.exe	backup.exe
PID 1808 wrote to memory of 1664	1808	backup.exe	backup.exe
PID 1216 wrote to memory of 472	1216	backup.exe	backup.exe
PID 1216 wrote to memory of 472	1216	backup.exe	backup.exe
PID 1216 wrote to memory of 472	1216	backup.exe	backup.exe
PID 1216 wrote to memory of 472	1216	backup.exe	backup.exe
PID 472 wrote to memory of 1388	472	backup.exe	backup.exe
PID 472 wrote to memory of 1388	472	backup.exe	backup.exe
PID 472 wrote to memory of 1388	472	backup.exe	backup.exe
PID 472 wrote to memory of 1388	472	backup.exe	backup.exe
PID 1388 wrote to memory of 1260	1388	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe
"C:\Users\Admin\AppData\Local\Temp\c22db2ab898b98097b97703d69f4113b011d80f742126e58811f2441a207509b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\1818320068\backup.exe
C:\Users\Admin\AppData\Local\Temp\1818320068\backup.exe C:\Users\Admin\AppData\Local\Temp\1818320068\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\PerfLogs\data.exe
C:\PerfLogs\data.exe C:\PerfLogs\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1908

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1216

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1388

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:856

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:964

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1712

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1992

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:836

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1680

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1592

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:696

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1036

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:764

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1780

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:956

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1120

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:952

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2000

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:836

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:780

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:868

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1644

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System policy modification
PID:1808

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
PID:664

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
PID:1664

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
PID:568

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
- Disables RegEdit via registry modification
PID:1512

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
PID:432

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1328

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
PID:896

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
PID:916

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1744

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
PID:1120

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
- Drops file in Program Files directory
PID:1724

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
PID:1712

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:2040

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
PID:1984

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
PID:2012

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
- System policy modification
PID:1000

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
- System policy modification
PID:1212

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Drops file in Program Files directory
PID:524

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:836

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
PID:1864

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
- Disables RegEdit via registry modification
PID:828

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
- System policy modification
PID:624

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
- Disables RegEdit via registry modification
PID:1444

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:780

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
- Modifies visibility of file extensions in Explorer
PID:864

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
PID:1968

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
PID:1592

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
8⤵
PID:1092

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
9⤵
PID:1572

C:\Program Files\Common Files\Services\update.exe
"C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\
6⤵
- System policy modification
PID:1004

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1308

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
- Disables RegEdit via registry modification
PID:1540

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1472

C:\Program Files\Common Files\System\ado\data.exe
"C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:1420

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:332

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:768

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
- Disables RegEdit via registry modification
PID:1452

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
PID:1284

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:604

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:1608

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
- Modifies visibility of file extensions in Explorer
PID:924

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:1780

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
- System policy modification
PID:1032

C:\Program Files\Common Files\System\fr-FR\backup.exe
"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
- System policy modification
PID:1856

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:2020

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
- System policy modification
PID:2016

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:2032

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
- Disables RegEdit via registry modification
PID:2024

C:\Program Files\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
PID:1704

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
PID:1924

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1764

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:840

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:300

C:\Program Files\Common Files\System\Ole DB\backup.exe
"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
PID:548

C:\Program Files\Common Files\System\Ole DB\de-DE\data.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\data.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
PID:1180

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:1068

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:1396

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
PID:1788

C:\Program Files\Common Files\System\Ole DB\it-IT\data.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\data.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1912

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
PID:1708

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Drops file in Program Files directory
PID:1748

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
- Disables RegEdit via registry modification
PID:1928

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
PID:1908

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
- Modifies visibility of file extensions in Explorer
PID:868

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
PID:1600

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2008

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:1292

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:1308

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:1168

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
PID:1536

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
- Modifies visibility of file extensions in Explorer
PID:664

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1664

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:568

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
PID:1512

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
PID:432

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1932

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
PID:1108

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
PID:976

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
8⤵
- System policy modification
PID:916

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\System Restore.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
8⤵
PID:1856

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:288

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2020

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
8⤵
PID:2016

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
8⤵
- Disables RegEdit via registry modification
PID:1816

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1992

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
8⤵
PID:1492

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
8⤵
PID:1000

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
8⤵
PID:1212

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\update.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
8⤵
- Disables RegEdit via registry modification
PID:1712

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:328

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Disables RegEdit via registry modification
PID:1180

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
PID:1068

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Drops file in Program Files directory
PID:1396

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
- System policy modification
PID:1788

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
PID:1912

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1708

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
- Modifies visibility of file extensions in Explorer
PID:472

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
PID:1968

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1908

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
- System policy modification
PID:1600

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:396

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
10⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1580

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
11⤵
PID:1720

C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
8⤵
PID:1420

C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1500

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Drops file in Program Files directory
PID:1120

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
- System policy modification
PID:932

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:1988

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
- System policy modification
PID:320

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:980

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:1308

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:1864

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
- Disables RegEdit via registry modification
PID:1788

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
- Disables RegEdit via registry modification
PID:1472

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
- Drops file in Program Files directory
PID:1092

C:\Program Files\Java\jdk1.7.0_80\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1136

C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
7⤵
PID:112

C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1812

C:\Program Files\Java\jdk1.7.0_80\db\bin\update.exe
"C:\Program Files\Java\jdk1.7.0_80\db\bin\update.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
8⤵
- System policy modification
PID:1736

C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
8⤵
- System policy modification
PID:1932

C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
7⤵
- Drops file in Program Files directory
PID:1744

C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
8⤵
PID:1068

C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
9⤵
PID:964

C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
7⤵
- Drops file in Program Files directory
PID:932

C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
8⤵
PID:692

C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
9⤵
- Disables RegEdit via registry modification
PID:1724

C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
9⤵
- Modifies visibility of file extensions in Explorer
PID:840

C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
9⤵
PID:1712

C:\Program Files\Java\jdk1.7.0_80\jre\lib\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
8⤵
- Drops file in Program Files directory
- System policy modification
PID:836

C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
9⤵
- System policy modification
PID:568

C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
9⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1816

C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
9⤵
PID:1000

C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
9⤵
PID:1032

C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
9⤵
PID:1608

C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
9⤵
PID:1684

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
9⤵
PID:1088

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
10⤵
PID:588

C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
9⤵
PID:1100

C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
9⤵
PID:664

C:\Program Files\Java\jdk1.7.0_80\lib\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
7⤵
PID:1120

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
8⤵
- Drops file in Program Files directory
PID:1500

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
9⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1684

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
10⤵
- Disables RegEdit via registry modification
PID:112

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
10⤵
PID:924

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
9⤵
- Disables RegEdit via registry modification
PID:1728

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
9⤵
PID:1736

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
10⤵
PID:1200

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
9⤵
- Modifies visibility of file extensions in Explorer
PID:840

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
10⤵
PID:1980

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
9⤵
PID:1452

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
8⤵
PID:952

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
9⤵
PID:932

C:\Program Files\Java\jre7\backup.exe
"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:780

C:\Program Files\Java\jre7\bin\backup.exe
"C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:604

C:\Program Files\Java\jre7\bin\dtplugin\update.exe
"C:\Program Files\Java\jre7\bin\dtplugin\update.exe" C:\Program Files\Java\jre7\bin\dtplugin\
8⤵
PID:1680

C:\Program Files\Java\jre7\bin\plugin2\backup.exe
"C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
8⤵
PID:1508

C:\Program Files\Java\jre7\bin\server\backup.exe
"C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
8⤵
PID:568

C:\Program Files\Java\jre7\lib\backup.exe
"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
7⤵
- Disables RegEdit via registry modification
PID:1724

C:\Program Files\Java\jre7\lib\amd64\backup.exe
"C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
8⤵
PID:2024

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:548

C:\Program Files\Microsoft Games\Chess\update.exe
"C:\Program Files\Microsoft Games\Chess\update.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:664

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
7⤵
PID:1508

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
7⤵
- Modifies visibility of file extensions in Explorer
PID:952

C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
7⤵
- Disables RegEdit via registry modification
PID:980

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
7⤵
- System policy modification
PID:1444

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
7⤵
- Modifies visibility of file extensions in Explorer
PID:688

C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
7⤵
- System policy modification
PID:896

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:1288

C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
7⤵
PID:1372

C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
7⤵
PID:320

C:\Program Files\Microsoft Games\Hearts\backup.exe
"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:472

C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
7⤵
PID:1716

C:\Program Files\Microsoft Games\Mahjong\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
6⤵
- Disables RegEdit via registry modification
PID:1248

C:\Program Files\Microsoft Games\Minesweeper\System Restore.exe
"C:\Program Files\Microsoft Games\Minesweeper\System Restore.exe" C:\Program Files\Microsoft Games\Minesweeper\
6⤵
- Disables RegEdit via registry modification
PID:832

C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
7⤵
PID:1888

C:\Program Files\Microsoft Games\More Games\backup.exe
"C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
6⤵
PID:1904

C:\Program Files\Microsoft Office\System Restore.exe
"C:\Program Files\Microsoft Office\System Restore.exe" C:\Program Files\Microsoft Office\
5⤵
PID:1644

C:\Program Files\Microsoft Office\Office14\backup.exe
"C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
6⤵
PID:1664

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:976

C:\Program Files\Mozilla Firefox\browser\System Restore.exe
"C:\Program Files\Mozilla Firefox\browser\System Restore.exe" C:\Program Files\Mozilla Firefox\browser\
6⤵
PID:1136

C:\Program Files\Mozilla Firefox\browser\features\backup.exe
"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
7⤵
PID:2080

C:\Program Files\Mozilla Firefox\defaults\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
6⤵
PID:1072

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
7⤵
PID:2068

C:\Program Files\Mozilla Firefox\fonts\backup.exe
"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
6⤵
PID:1968

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:1568

C:\Program Files\MSBuild\Microsoft\backup.exe
"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
6⤵
PID:2060

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
- System policy modification
PID:1068

C:\Program Files\Reference Assemblies\Microsoft\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
6⤵
PID:1728

C:\Program Files\VideoLAN\backup.exe
"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
5⤵
PID:1908

C:\Program Files\Windows Defender\backup.exe
"C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
5⤵
PID:1040

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Drops file in Program Files directory
PID:1972

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Drops file in Program Files directory
- System policy modification
PID:1096

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:1292

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1536

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
PID:1664

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
PID:1512

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
- System policy modification
PID:956

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1032

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1728

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2024

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
- Disables RegEdit via registry modification
PID:1984

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
- Disables RegEdit via registry modification
PID:1000

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:1168

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
- Drops file in Program Files directory
PID:828

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
- System policy modification
PID:780

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:836

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
- Modifies visibility of file extensions in Explorer
PID:576

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
10⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2008

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:332

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
- System policy modification
PID:568

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
10⤵
- System policy modification
PID:1036

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
9⤵
PID:924

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
10⤵
- Modifies visibility of file extensions in Explorer
PID:976

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1180

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
PID:1088

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
- Disables RegEdit via registry modification
PID:1728

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
PID:2024

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Drops file in Program Files directory
PID:2012

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
- Drops file in Program Files directory
PID:1188

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
PID:276

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
- Disables RegEdit via registry modification
PID:624

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1472

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1420

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
PID:1744

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
10⤵
- Disables RegEdit via registry modification
PID:1212

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
11⤵
PID:1884

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
PID:2028

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
PID:1652

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
- Disables RegEdit via registry modification
PID:1644

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
PID:1040

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Drops file in Program Files directory
PID:1912

C:\Program Files (x86)\Common Files\Adobe\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:2008

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1932

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
PID:1068

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
PID:1140

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
PID:576

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
10⤵
PID:588

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1200

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
- Drops file in Program Files directory
PID:1308

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
7⤵
PID:1692

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:1412

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
PID:964

C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
7⤵
PID:1788

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:2020

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
6⤵
PID:1920

C:\Program Files (x86)\Common Files\System\System Restore.exe
"C:\Program Files (x86)\Common Files\System\System Restore.exe" C:\Program Files (x86)\Common Files\System\
6⤵
PID:564

C:\Program Files (x86)\Google\update.exe
"C:\Program Files (x86)\Google\update.exe" C:\Program Files (x86)\Google\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:328

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1492

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
PID:1884

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:924

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
PID:1260

C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
7⤵
PID:524

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:1856

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
PID:1120

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
- Modifies visibility of file extensions in Explorer
PID:624

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
6⤵
PID:856

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:1744

C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
6⤵
PID:2052

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
5⤵
- System policy modification
PID:604

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
6⤵
PID:1608

C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
"C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
5⤵
PID:2100

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- System policy modification
PID:1692

C:\Users\Admin\System Restore.exe
"C:\Users\Admin\System Restore.exe" C:\Users\Admin\
5⤵
PID:900

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
PID:948

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:1536

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:1996

C:\Users\Admin\Downloads\data.exe
C:\Users\Admin\Downloads\data.exe C:\Users\Admin\Downloads\
6⤵
- Modifies visibility of file extensions in Explorer
PID:524

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1000

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:1092

C:\Users\Admin\Music\data.exe
C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
6⤵
PID:2044

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:1364

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
- System policy modification
PID:1816

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:1540

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:1292

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
PID:1504

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:1644

C:\Windows\System Restore.exe
"C:\Windows\System Restore.exe" C:\Windows\
4⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
PID:948

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
PID:328

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:952

C:\Users\Admin\AppData\Local\Temp\Low\update.exe
C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2012

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:564

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1416

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
C:\PerfLogs\data.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
C:\PerfLogs\data.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
16faa6c4a77e51f2f38bc6e061462521

SHA1
7a3df35dabca3e087f67bb2e9f9e5e9033054a22

SHA256
1144e375d96b91027b8f93d63902ba696064fcfb8be1bbbabaef306d37784556

SHA512
234510fa3e90af768198eb696a048cf8a6540908fc2ccdd97d1e93d39e3d2ec0c2a6f602f4f8165037fbe05e3cf7b9a44aaa48ab28013a6d3cb6b4c814f50445

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
b8e5c13f9c74d5689936aa3c4a42c645

SHA1
f7b047d680401ae5219374c766c62bec0d14825d

SHA256
f6c7751cd69f9fe56f6e6ffc6da5ada56dbc4355953e1e3ada113a561db0ec4f

SHA512
0678d6c7611f3e47ce5ce5b800028a21cbc570c3ed8dc1bbbc00d71401e05b35393acfa89c118b4d777792430da39a9c20a4600ce980912135bd63978d5265e9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
16faa6c4a77e51f2f38bc6e061462521

SHA1
7a3df35dabca3e087f67bb2e9f9e5e9033054a22

SHA256
1144e375d96b91027b8f93d63902ba696064fcfb8be1bbbabaef306d37784556

SHA512
234510fa3e90af768198eb696a048cf8a6540908fc2ccdd97d1e93d39e3d2ec0c2a6f602f4f8165037fbe05e3cf7b9a44aaa48ab28013a6d3cb6b4c814f50445

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
16faa6c4a77e51f2f38bc6e061462521

SHA1
7a3df35dabca3e087f67bb2e9f9e5e9033054a22

SHA256
1144e375d96b91027b8f93d63902ba696064fcfb8be1bbbabaef306d37784556

SHA512
234510fa3e90af768198eb696a048cf8a6540908fc2ccdd97d1e93d39e3d2ec0c2a6f602f4f8165037fbe05e3cf7b9a44aaa48ab28013a6d3cb6b4c814f50445

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
9bd47a50c07f2e620bec42328b4fb268

SHA1
7aa7ca374ac41eee7fbedda6531222dc886a61b2

SHA256
9daf0d723b770f993189a641646f9538fd7fd7c394ef11e3bca7f5078e0165ef

SHA512
e04d336ebd561483dc3d126c077f8f604c0dea0c769a8e61088a6ed15c52c74a5c1837dd1c1eff920869bd03a4a74ea7465a60f30dfbc977133165fb70d1688b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
25439078fc606649c3a8383c44878b87

SHA1
7dc608052dff31a7a60d73df13795438cef1fbdb

SHA256
cc60720ec8bfa2216d9f52193c8168da9ffeb639fd5313190fca381c00a823de

SHA512
f7a4ec1bde0db834bc8321939317e087ca834924b89ad6a897034bb666e76421d7773c2bd26580feeea326635bcffab62bc1bc724cd8a75ebf317c699f6b835e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
25439078fc606649c3a8383c44878b87

SHA1
7dc608052dff31a7a60d73df13795438cef1fbdb

SHA256
cc60720ec8bfa2216d9f52193c8168da9ffeb639fd5313190fca381c00a823de

SHA512
f7a4ec1bde0db834bc8321939317e087ca834924b89ad6a897034bb666e76421d7773c2bd26580feeea326635bcffab62bc1bc724cd8a75ebf317c699f6b835e

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1818320068\backup.exe
Filesize
72KB

MD5
01f7e7538042425dcac0d053b082cab9

SHA1
c18563eeaf196d7b91596f3b46f966221b1a9074

SHA256
4a1f68d927c2fd1e4f36e8a778b5f45f4fe5529eac7c1f11cdd01d3c9b66d521

SHA512
313e0ee883ef07a538b255cbba428902da4e1e150a3f1643dee5a731fb8b6015fa7a14b38d52c083dabae2ba92b1535a2c269b8d124a14e545811035d3e9399a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1818320068\backup.exe
Filesize
72KB

MD5
01f7e7538042425dcac0d053b082cab9

SHA1
c18563eeaf196d7b91596f3b46f966221b1a9074

SHA256
4a1f68d927c2fd1e4f36e8a778b5f45f4fe5529eac7c1f11cdd01d3c9b66d521

SHA512
313e0ee883ef07a538b255cbba428902da4e1e150a3f1643dee5a731fb8b6015fa7a14b38d52c083dabae2ba92b1535a2c269b8d124a14e545811035d3e9399a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
C:\backup.exe
Filesize
72KB

MD5
3e874bf00421ae0927a215831986bbfa

SHA1
328e794c1f568fce21ccd0a4af11a7268e775f13

SHA256
46d9d4b0603ea3b76e8abf6f325ee90cc27df7c9455f1e817196287035ccc6a1

SHA512
5b1c2ed31865c02f845dbb04d8285dec2b063aec278db166fd4e4bf054cc1d3e7799c05f29e0615c2f681bec035c8581860bca1cbfe9819da496410d618c2592

Download Submit
C:\backup.exe
Filesize
72KB

MD5
3e874bf00421ae0927a215831986bbfa

SHA1
328e794c1f568fce21ccd0a4af11a7268e775f13

SHA256
46d9d4b0603ea3b76e8abf6f325ee90cc27df7c9455f1e817196287035ccc6a1

SHA512
5b1c2ed31865c02f845dbb04d8285dec2b063aec278db166fd4e4bf054cc1d3e7799c05f29e0615c2f681bec035c8581860bca1cbfe9819da496410d618c2592

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
\PerfLogs\data.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
\PerfLogs\data.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
16faa6c4a77e51f2f38bc6e061462521

SHA1
7a3df35dabca3e087f67bb2e9f9e5e9033054a22

SHA256
1144e375d96b91027b8f93d63902ba696064fcfb8be1bbbabaef306d37784556

SHA512
234510fa3e90af768198eb696a048cf8a6540908fc2ccdd97d1e93d39e3d2ec0c2a6f602f4f8165037fbe05e3cf7b9a44aaa48ab28013a6d3cb6b4c814f50445

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
16faa6c4a77e51f2f38bc6e061462521

SHA1
7a3df35dabca3e087f67bb2e9f9e5e9033054a22

SHA256
1144e375d96b91027b8f93d63902ba696064fcfb8be1bbbabaef306d37784556

SHA512
234510fa3e90af768198eb696a048cf8a6540908fc2ccdd97d1e93d39e3d2ec0c2a6f602f4f8165037fbe05e3cf7b9a44aaa48ab28013a6d3cb6b4c814f50445

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
b8e5c13f9c74d5689936aa3c4a42c645

SHA1
f7b047d680401ae5219374c766c62bec0d14825d

SHA256
f6c7751cd69f9fe56f6e6ffc6da5ada56dbc4355953e1e3ada113a561db0ec4f

SHA512
0678d6c7611f3e47ce5ce5b800028a21cbc570c3ed8dc1bbbc00d71401e05b35393acfa89c118b4d777792430da39a9c20a4600ce980912135bd63978d5265e9

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
b8e5c13f9c74d5689936aa3c4a42c645

SHA1
f7b047d680401ae5219374c766c62bec0d14825d

SHA256
f6c7751cd69f9fe56f6e6ffc6da5ada56dbc4355953e1e3ada113a561db0ec4f

SHA512
0678d6c7611f3e47ce5ce5b800028a21cbc570c3ed8dc1bbbc00d71401e05b35393acfa89c118b4d777792430da39a9c20a4600ce980912135bd63978d5265e9

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
16faa6c4a77e51f2f38bc6e061462521

SHA1
7a3df35dabca3e087f67bb2e9f9e5e9033054a22

SHA256
1144e375d96b91027b8f93d63902ba696064fcfb8be1bbbabaef306d37784556

SHA512
234510fa3e90af768198eb696a048cf8a6540908fc2ccdd97d1e93d39e3d2ec0c2a6f602f4f8165037fbe05e3cf7b9a44aaa48ab28013a6d3cb6b4c814f50445

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
16faa6c4a77e51f2f38bc6e061462521

SHA1
7a3df35dabca3e087f67bb2e9f9e5e9033054a22

SHA256
1144e375d96b91027b8f93d63902ba696064fcfb8be1bbbabaef306d37784556

SHA512
234510fa3e90af768198eb696a048cf8a6540908fc2ccdd97d1e93d39e3d2ec0c2a6f602f4f8165037fbe05e3cf7b9a44aaa48ab28013a6d3cb6b4c814f50445

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
9bd47a50c07f2e620bec42328b4fb268

SHA1
7aa7ca374ac41eee7fbedda6531222dc886a61b2

SHA256
9daf0d723b770f993189a641646f9538fd7fd7c394ef11e3bca7f5078e0165ef

SHA512
e04d336ebd561483dc3d126c077f8f604c0dea0c769a8e61088a6ed15c52c74a5c1837dd1c1eff920869bd03a4a74ea7465a60f30dfbc977133165fb70d1688b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
9bd47a50c07f2e620bec42328b4fb268

SHA1
7aa7ca374ac41eee7fbedda6531222dc886a61b2

SHA256
9daf0d723b770f993189a641646f9538fd7fd7c394ef11e3bca7f5078e0165ef

SHA512
e04d336ebd561483dc3d126c077f8f604c0dea0c769a8e61088a6ed15c52c74a5c1837dd1c1eff920869bd03a4a74ea7465a60f30dfbc977133165fb70d1688b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
25439078fc606649c3a8383c44878b87

SHA1
7dc608052dff31a7a60d73df13795438cef1fbdb

SHA256
cc60720ec8bfa2216d9f52193c8168da9ffeb639fd5313190fca381c00a823de

SHA512
f7a4ec1bde0db834bc8321939317e087ca834924b89ad6a897034bb666e76421d7773c2bd26580feeea326635bcffab62bc1bc724cd8a75ebf317c699f6b835e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
25439078fc606649c3a8383c44878b87

SHA1
7dc608052dff31a7a60d73df13795438cef1fbdb

SHA256
cc60720ec8bfa2216d9f52193c8168da9ffeb639fd5313190fca381c00a823de

SHA512
f7a4ec1bde0db834bc8321939317e087ca834924b89ad6a897034bb666e76421d7773c2bd26580feeea326635bcffab62bc1bc724cd8a75ebf317c699f6b835e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
9bd47a50c07f2e620bec42328b4fb268

SHA1
7aa7ca374ac41eee7fbedda6531222dc886a61b2

SHA256
9daf0d723b770f993189a641646f9538fd7fd7c394ef11e3bca7f5078e0165ef

SHA512
e04d336ebd561483dc3d126c077f8f604c0dea0c769a8e61088a6ed15c52c74a5c1837dd1c1eff920869bd03a4a74ea7465a60f30dfbc977133165fb70d1688b

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
edb970cb2fbe9a9dd042a99c1faf4002

SHA1
b2d2885dc1b7d22d148e346f582d8c0030547ec6

SHA256
64eaead721b540b259adf04877a90e7ec9c93c78d0995583f9a388ea21fea5e5

SHA512
8bc6e1007f38ee1b20e77cf792f22ad898ead85079e14b1b5bb58a59ef8c9e189af084c9a70ada85bcbf6018668be39df8309e48177d4a8cebcc1fab993f8fba

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
1195675ca10e47a19789efe1ad815599

SHA1
f2f2c6ce6a6ee709d1fe3829db3e01d41a5be42a

SHA256
180e7fe4d94b9f32614a283f3d5015193c1ca4babeca74e28ab2c70e66f4aa74

SHA512
3580ecb081a3d2966270a257631e9f6a513438a526b46827c59a79e9c0d44a51f3de1ca2466fa409e149b2929bb92a1ceec78ef4c93cee2e775a8541e1a575a4

Download Submit
\Users\Admin\AppData\Local\Temp\1818320068\backup.exe
Filesize
72KB

MD5
01f7e7538042425dcac0d053b082cab9

SHA1
c18563eeaf196d7b91596f3b46f966221b1a9074

SHA256
4a1f68d927c2fd1e4f36e8a778b5f45f4fe5529eac7c1f11cdd01d3c9b66d521

SHA512
313e0ee883ef07a538b255cbba428902da4e1e150a3f1643dee5a731fb8b6015fa7a14b38d52c083dabae2ba92b1535a2c269b8d124a14e545811035d3e9399a

Download Submit
\Users\Admin\AppData\Local\Temp\1818320068\backup.exe
Filesize
72KB

MD5
01f7e7538042425dcac0d053b082cab9

SHA1
c18563eeaf196d7b91596f3b46f966221b1a9074

SHA256
4a1f68d927c2fd1e4f36e8a778b5f45f4fe5529eac7c1f11cdd01d3c9b66d521

SHA512
313e0ee883ef07a538b255cbba428902da4e1e150a3f1643dee5a731fb8b6015fa7a14b38d52c083dabae2ba92b1535a2c269b8d124a14e545811035d3e9399a

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
e2126e042f957c82a35b00e25a3d23e2

SHA1
ad01a0428d7f630636a2d7ce37f2f48a27f72bfe

SHA256
f473a66bf039f118959004bc1f37fc33ec9225950ab89bdb587e49085eb6ac02

SHA512
66f866c7afb104883bdd271efb01827aaf643021817a0d5add881b3a0dd67afadd5a233f1b7aecbd20c548aa6982f05d10260ffd8d4e3966fbf5e61cdb109154

Download Submit
memory/320-271-0x0000000000000000-mapping.dmp

Download
memory/472-145-0x0000000000000000-mapping.dmp

Download
memory/564-92-0x0000000000000000-mapping.dmp

Download
memory/696-223-0x0000000000000000-mapping.dmp

Download
memory/764-238-0x0000000000000000-mapping.dmp

Download
memory/780-286-0x0000000000000000-mapping.dmp

Download
memory/836-274-0x0000000000000000-mapping.dmp

Download
memory/836-189-0x0000000000000000-mapping.dmp

Download
memory/856-165-0x0000000000000000-mapping.dmp

Download
memory/864-205-0x0000000000000000-mapping.dmp

Download
memory/868-299-0x0000000000000000-mapping.dmp

Download
memory/924-244-0x0000000000000000-mapping.dmp

Download
memory/952-64-0x0000000000000000-mapping.dmp

Download
memory/952-256-0x0000000000000000-mapping.dmp

Download
memory/956-250-0x0000000000000000-mapping.dmp

Download
memory/964-172-0x0000000000000000-mapping.dmp

Download
memory/1004-111-0x0000000000000000-mapping.dmp

Download
memory/1036-232-0x0000000000000000-mapping.dmp

Download
memory/1068-196-0x0000000000000000-mapping.dmp

Download
memory/1076-69-0x0000000000000000-mapping.dmp

Download
memory/1076-72-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1092-296-0x0000000000000000-mapping.dmp

Download
memory/1096-305-0x0000000000000000-mapping.dmp

Download
memory/1120-253-0x0000000000000000-mapping.dmp

Download
memory/1180-277-0x0000000000000000-mapping.dmp

Download
memory/1180-193-0x0000000000000000-mapping.dmp

Download
memory/1216-125-0x0000000000000000-mapping.dmp

Download
memory/1228-289-0x0000000000000000-mapping.dmp

Download
memory/1260-159-0x0000000000000000-mapping.dmp

Download
memory/1292-226-0x0000000000000000-mapping.dmp

Download
memory/1364-104-0x0000000000000000-mapping.dmp

Download
memory/1372-208-0x0000000000000000-mapping.dmp

Download
memory/1388-152-0x0000000000000000-mapping.dmp

Download
memory/1416-283-0x0000000000000000-mapping.dmp

Download
memory/1416-98-0x0000000000000000-mapping.dmp

Download
memory/1420-311-0x0000000000000000-mapping.dmp

Download
memory/1452-235-0x0000000000000000-mapping.dmp

Download
memory/1472-229-0x0000000000000000-mapping.dmp

Download
memory/1492-86-0x0000000000000000-mapping.dmp

Download
memory/1508-202-0x0000000000000000-mapping.dmp

Download
memory/1520-114-0x0000000073EA1000-0x0000000073EA3000-memory.dmp

Filesize
8KB

Download
memory/1592-214-0x0000000000000000-mapping.dmp

Download
memory/1644-302-0x0000000000000000-mapping.dmp

Download
memory/1652-308-0x0000000000000000-mapping.dmp

Download
memory/1656-58-0x0000000000000000-mapping.dmp

Download
memory/1664-139-0x0000000000000000-mapping.dmp

Download
memory/1680-199-0x0000000000000000-mapping.dmp

Download
memory/1692-217-0x0000000000000000-mapping.dmp

Download
memory/1696-280-0x0000000000000000-mapping.dmp

Download
memory/1712-177-0x0000000000000000-mapping.dmp

Download
memory/1760-211-0x0000000000000000-mapping.dmp

Download
memory/1764-268-0x0000000000000000-mapping.dmp

Download
memory/1780-247-0x0000000000000000-mapping.dmp

Download
memory/1808-314-0x0000000000000000-mapping.dmp

Download
memory/1808-132-0x0000000000000000-mapping.dmp

Download
memory/1812-241-0x0000000000000000-mapping.dmp

Download
memory/1824-292-0x0000000000000000-mapping.dmp

Download
memory/1908-220-0x0000000000000000-mapping.dmp

Download
memory/1908-119-0x0000000000000000-mapping.dmp

Download
memory/1984-183-0x0000000000000000-mapping.dmp

Download
memory/1992-186-0x0000000000000000-mapping.dmp

Download
memory/2000-262-0x0000000000000000-mapping.dmp

Download
memory/2012-80-0x0000000000000000-mapping.dmp

Download
memory/2012-265-0x0000000000000000-mapping.dmp

Download
memory/2036-259-0x0000000000000000-mapping.dmp

Download
memory/2040-180-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads