0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d

Analysis

max time kernel
149s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
Size

72KB
MD5

068463d8b992f8c9cd80e4fced43af79
SHA1

bb634245af2a8bad9248feed7b168d02b523e747
SHA256

0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d
SHA512

7bb5ec82dce8aa5083307c3f1255baf30e11ebd5d0c6d6ed4b837dc06a4b2a5b7b2a75d5ac105779b7109e4049d3c88de207166916d2d44fba1629fb90eaba31
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2I:ipQNwC3BEddsEqOt/hyJF+x3BEJwRr0

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exeSystem Restore.exebackup.exebackup.exebackup.exe0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

Processes:

backup.exedata.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1080	backup.exe
940	backup.exe
756	backup.exe
1932	backup.exe
1708	backup.exe
1772	backup.exe
788	backup.exe
1816	backup.exe
1656	backup.exe
1492	backup.exe
1504	backup.exe
1832	backup.exe
316	backup.exe
996	backup.exe
1828	backup.exe
684	backup.exe
1820	backup.exe
1160	backup.exe
1300	backup.exe
456	backup.exe
1104	backup.exe
676	backup.exe
1752	backup.exe
1708	backup.exe
1212	backup.exe
892	backup.exe
548	backup.exe
1812	backup.exe
1596	backup.exe
1616	backup.exe
1132	backup.exe
1984	backup.exe
1492	backup.exe
1148	backup.exe
1968	backup.exe
616	backup.exe
1872	backup.exe
828	backup.exe
316	backup.exe
1804	backup.exe
796	backup.exe
1168	data.exe
1268	backup.exe
2016	backup.exe
944	backup.exe
2028	backup.exe
1776	backup.exe
1300	backup.exe
1720	System Restore.exe
320	backup.exe
524	backup.exe
1768	backup.exe
552	backup.exe
1540	backup.exe
1524	backup.exe
788	backup.exe
1416	backup.exe
928	backup.exe
2004	backup.exe
860	backup.exe
1636	backup.exe
1996	backup.exe
1972	backup.exe
1956	backup.exe

Loads dropped DLL 64 IoCs

Processes:

0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1816	backup.exe
1816	backup.exe
1656	backup.exe
1656	backup.exe
1816	backup.exe
1816	backup.exe
1504	backup.exe
1504	backup.exe
1832	backup.exe
1832	backup.exe
1504	backup.exe
1504	backup.exe
996	backup.exe
996	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1828	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1820	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

Processes:

backup.exe

description ioc process

File opened for modification C:\Windows\update.exe backup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe

pid process

1292 0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe

description	ioc	process
File opened for modification	C:\Windows\update.exe	backup.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
1080	backup.exe
940	backup.exe
756	backup.exe
1932	backup.exe
1708	backup.exe
1772	backup.exe
788	backup.exe
1816	backup.exe
1656	backup.exe
1492	backup.exe
1504	backup.exe
1832	backup.exe
316	backup.exe
996	backup.exe
1828	backup.exe
684	backup.exe
1820	backup.exe
1160	backup.exe
1300	backup.exe
456	backup.exe
1104	backup.exe
676	backup.exe
1752	backup.exe
1708	backup.exe
1212	backup.exe
892	backup.exe
548	backup.exe
1812	backup.exe
1596	backup.exe
1616	backup.exe
1132	backup.exe
1984	backup.exe
1492	backup.exe
1148	backup.exe
1968	backup.exe
616	backup.exe
1872	backup.exe
828	backup.exe
316	backup.exe
1804	backup.exe
796	backup.exe
1168	data.exe
1268	backup.exe
2016	backup.exe
944	backup.exe
2028	backup.exe
1776	backup.exe
1300	backup.exe
1720	System Restore.exe
320	backup.exe
524	backup.exe
1768	backup.exe
552	backup.exe
1540	backup.exe
1524	backup.exe
788	backup.exe
1416	backup.exe
928	backup.exe
2004	backup.exe
860	backup.exe
1636	backup.exe
1996	backup.exe
1972	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 1292 wrote to memory of 1080	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1080	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1080	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1080	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 940	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 940	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 940	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 940	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 756	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 756	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 756	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 756	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1932	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1932	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1932	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1932	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1708	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1708	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1708	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1708	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1772	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1772	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1772	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 1772	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 788	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 788	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 788	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1292 wrote to memory of 788	1292	0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe	backup.exe
PID 1080 wrote to memory of 1816	1080	backup.exe	backup.exe
PID 1080 wrote to memory of 1816	1080	backup.exe	backup.exe
PID 1080 wrote to memory of 1816	1080	backup.exe	backup.exe
PID 1080 wrote to memory of 1816	1080	backup.exe	backup.exe
PID 1816 wrote to memory of 1656	1816	backup.exe	backup.exe
PID 1816 wrote to memory of 1656	1816	backup.exe	backup.exe
PID 1816 wrote to memory of 1656	1816	backup.exe	backup.exe
PID 1816 wrote to memory of 1656	1816	backup.exe	backup.exe
PID 1656 wrote to memory of 1492	1656	backup.exe	backup.exe
PID 1656 wrote to memory of 1492	1656	backup.exe	backup.exe
PID 1656 wrote to memory of 1492	1656	backup.exe	backup.exe
PID 1656 wrote to memory of 1492	1656	backup.exe	backup.exe
PID 1816 wrote to memory of 1504	1816	backup.exe	backup.exe
PID 1816 wrote to memory of 1504	1816	backup.exe	backup.exe
PID 1816 wrote to memory of 1504	1816	backup.exe	backup.exe
PID 1816 wrote to memory of 1504	1816	backup.exe	backup.exe
PID 1504 wrote to memory of 1832	1504	backup.exe	backup.exe
PID 1504 wrote to memory of 1832	1504	backup.exe	backup.exe
PID 1504 wrote to memory of 1832	1504	backup.exe	backup.exe
PID 1504 wrote to memory of 1832	1504	backup.exe	backup.exe
PID 1832 wrote to memory of 316	1832	backup.exe	backup.exe
PID 1832 wrote to memory of 316	1832	backup.exe	backup.exe
PID 1832 wrote to memory of 316	1832	backup.exe	backup.exe
PID 1832 wrote to memory of 316	1832	backup.exe	backup.exe
PID 1504 wrote to memory of 996	1504	backup.exe	backup.exe
PID 1504 wrote to memory of 996	1504	backup.exe	backup.exe
PID 1504 wrote to memory of 996	1504	backup.exe	backup.exe
PID 1504 wrote to memory of 996	1504	backup.exe	backup.exe
PID 996 wrote to memory of 1828	996	backup.exe	backup.exe
PID 996 wrote to memory of 1828	996	backup.exe	backup.exe
PID 996 wrote to memory of 1828	996	backup.exe	backup.exe
PID 996 wrote to memory of 1828	996	backup.exe	backup.exe
PID 1828 wrote to memory of 684	1828	backup.exe	backup.exe
PID 1828 wrote to memory of 684	1828	backup.exe	backup.exe
PID 1828 wrote to memory of 684	1828	backup.exe	backup.exe
PID 1828 wrote to memory of 684	1828	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exeupdate.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe
"C:\Users\Admin\AppData\Local\Temp\0257f371db74f30e746dd7e02dd3ad52860067751e80d4db5939ad1a8ee4f20d.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\3941539770\backup.exe
C:\Users\Admin\AppData\Local\Temp\3941539770\backup.exe C:\Users\Admin\AppData\Local\Temp\3941539770\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:316

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:456

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1104

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:676

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1752

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:548

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:616

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:828

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:316

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1804

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:796

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:944

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:552

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:788

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:928

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:860

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1996

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
PID:1956

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
PID:2024

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1872

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
PID:1640

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
- System policy modification
PID:1352

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
PID:1392

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:432

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
- Drops file in Program Files directory
PID:1824

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
PID:1328

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
- Disables RegEdit via registry modification
PID:1168

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
- Disables RegEdit via registry modification
PID:1424

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
PID:1808

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
PID:2016

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
- Disables RegEdit via registry modification
PID:976

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1160

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:472

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
PID:1776

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
- Disables RegEdit via registry modification
PID:1928

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Drops file in Program Files directory
PID:456

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:584

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
- System policy modification
PID:1372

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1664

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
- Disables RegEdit via registry modification
PID:1768

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
PID:1708

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:568

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
PID:888

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
- Disables RegEdit via registry modification
- System policy modification
PID:948

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
- Disables RegEdit via registry modification
PID:788

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\data.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
8⤵
PID:1812

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
9⤵
- System policy modification
PID:1616

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
PID:1132

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1072

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
PID:860

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
PID:820

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:1148

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
PID:1952

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
PID:1964

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
PID:616

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2024

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1872

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:360

C:\Program Files\Common Files\System\de-DE\System Restore.exe
"C:\Program Files\Common Files\System\de-DE\System Restore.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1640

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
- System policy modification
PID:1352

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:1392

C:\Program Files\Common Files\System\fr-FR\backup.exe
"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
PID:900

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:112

C:\Program Files\Common Files\System\ja-JP\data.exe
"C:\Program Files\Common Files\System\ja-JP\data.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
PID:1268

C:\Program Files\Common Files\System\msadc\System Restore.exe
"C:\Program Files\Common Files\System\msadc\System Restore.exe" C:\Program Files\Common Files\System\msadc\
7⤵
- Drops file in Program Files directory
PID:1408

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Program Files\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1532

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
- System policy modification
PID:1752

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
- Disables RegEdit via registry modification
PID:1520

C:\Program Files\Common Files\System\msadc\it-IT\data.exe
"C:\Program Files\Common Files\System\msadc\it-IT\data.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1524

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:948

C:\Program Files\Common Files\System\Ole DB\data.exe
"C:\Program Files\Common Files\System\Ole DB\data.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1812

C:\Program Files\Common Files\System\Ole DB\de-DE\System Restore.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
- System policy modification
PID:836

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
- Disables RegEdit via registry modification
PID:1964

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:1692

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1508

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
PID:1732

C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
- Disables RegEdit via registry modification
PID:1752

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1928

C:\Program Files\DVD Maker\de-DE\update.exe
"C:\Program Files\DVD Maker\de-DE\update.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
PID:1880

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
- System policy modification
PID:1616

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
PID:860

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
- System policy modification
PID:1972

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
- System policy modification
PID:1552

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1304

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:316

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:796

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1668

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
PID:1424

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
PID:1020

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:320

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1768

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
- Disables RegEdit via registry modification
PID:920

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
- System policy modification
PID:568

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1524

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
- System policy modification
PID:1828

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
8⤵
PID:1416

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1072

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
8⤵
- System policy modification
PID:836

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
8⤵
PID:616

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
8⤵
PID:1992

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:828

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
8⤵
PID:1464

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
8⤵
PID:1668

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
8⤵
- Disables RegEdit via registry modification
PID:2012

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2020

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1772

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:472

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Drops file in Program Files directory
PID:1540

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
- Disables RegEdit via registry modification
PID:1708

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1408

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
PID:1416

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
- Disables RegEdit via registry modification
PID:1032

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
- Disables RegEdit via registry modification
PID:548

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\update.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
- System policy modification
PID:2024

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
PID:1572

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
- Disables RegEdit via registry modification
PID:1512

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
- Disables RegEdit via registry modification
PID:1772

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
PID:2004

C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
8⤵
PID:1620

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
PID:1492

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Disables RegEdit via registry modification
PID:856

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:1356

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:1084

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
PID:684

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:432

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:1360

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:1756

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
PID:472

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:1640

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
- Modifies visibility of file extensions in Explorer
PID:1828

C:\Program Files\Java\jdk1.7.0_80\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
6⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1304

C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
7⤵
PID:1028

C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
7⤵
PID:1764

C:\Program Files\Java\jdk1.7.0_80\include\data.exe
"C:\Program Files\Java\jdk1.7.0_80\include\data.exe" C:\Program Files\Java\jdk1.7.0_80\include\
7⤵
PID:1548

C:\Program Files\Java\jre7\backup.exe
"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
6⤵
PID:1372

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1336

C:\Program Files\Microsoft Games\Chess\backup.exe
"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:2012

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
7⤵
- System policy modification
PID:1540

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
7⤵
PID:1564

C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
7⤵
PID:1508

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
7⤵
PID:1104

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
7⤵
PID:524

C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
7⤵
PID:2028

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:1456

C:\Program Files\Microsoft Games\Hearts\backup.exe
"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
6⤵
PID:1572

C:\Program Files\Microsoft Games\Mahjong\System Restore.exe
"C:\Program Files\Microsoft Games\Mahjong\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\
6⤵
PID:1048

C:\Program Files\Microsoft Games\Minesweeper\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
6⤵
PID:976

C:\Program Files\Microsoft Games\More Games\backup.exe
"C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
6⤵
PID:1000

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:1020

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:456

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:320

C:\Program Files\Reference Assemblies\update.exe
"C:\Program Files\Reference Assemblies\update.exe" C:\Program Files\Reference Assemblies\
5⤵
PID:1592

C:\Program Files\VideoLAN\backup.exe
"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
5⤵
PID:1600

C:\Program Files\Windows Defender\backup.exe
"C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
5⤵
PID:740

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Drops file in Program Files directory
PID:1164

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1632

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:984

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
- Disables RegEdit via registry modification
PID:2012

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:560

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
- System policy modification
PID:676

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
- System policy modification
PID:1664

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
PID:1540

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
- Modifies visibility of file extensions in Explorer
PID:548

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:1356

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
- System policy modification
PID:1656

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
PID:1084

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1596

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:1388

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
- Drops file in Program Files directory
PID:1804

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:684

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:944

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:472

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
10⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1104

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
- Disables RegEdit via registry modification
PID:524

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
PID:1664

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
10⤵
PID:888

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
9⤵
PID:1032

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
10⤵
- System policy modification
PID:1620

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
- Drops file in Program Files directory
PID:548

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
- Disables RegEdit via registry modification
PID:1656

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
- Disables RegEdit via registry modification
PID:1224

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
PID:1832

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1756

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
- System policy modification
PID:1352

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
- Disables RegEdit via registry modification
PID:1824

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2016

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2040

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
- System policy modification
PID:1020

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1564

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
10⤵
PID:1768

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
11⤵
PID:552

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
- Disables RegEdit via registry modification
PID:1012

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1524

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
9⤵
PID:788

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
10⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1392

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
10⤵
- Modifies visibility of file extensions in Explorer
PID:1368

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
PID:1820

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1660

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1552

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
- System policy modification
PID:268

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
- Disables RegEdit via registry modification
PID:1268

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Drops file in Program Files directory
- System policy modification
PID:1092

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- System policy modification
PID:1000

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1932

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
PID:1520

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:552

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
- Modifies visibility of file extensions in Explorer
PID:740

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\data.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
10⤵
PID:1148

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
- Disables RegEdit via registry modification
PID:1640

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
- Drops file in Program Files directory
- System policy modification
PID:860

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
7⤵
PID:828

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:1328

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
PID:1384

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:692

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
6⤵
PID:1820

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
PID:1152

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
PID:1988

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:1540

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
PID:1620

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:1388

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
- Disables RegEdit via registry modification
PID:944

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
6⤵
PID:1868

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
- Drops file in Program Files directory
PID:1716

C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
6⤵
PID:624

C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
6⤵
PID:1776

C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
6⤵
PID:948

C:\Program Files (x86)\Microsoft Office\Office14\update.exe
"C:\Program Files (x86)\Microsoft Office\Office14\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\
6⤵
PID:1628

C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe
"C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\
6⤵
PID:820

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
5⤵
PID:1708

C:\Program Files (x86)\Microsoft Sync Framework\System Restore.exe
"C:\Program Files (x86)\Microsoft Sync Framework\System Restore.exe" C:\Program Files (x86)\Microsoft Sync Framework\
5⤵
PID:1012

C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
5⤵
PID:1992

C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
"C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
5⤵
PID:1964

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Modifies visibility of file extensions in Explorer
PID:360

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
- Disables RegEdit via registry modification
PID:1568

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Disables RegEdit via registry modification
PID:2028

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1104

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:1660

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:2024

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:2020

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:1324

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:1560

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:1728

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
PID:1772

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:984

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
PID:660

C:\Users\Public\update.exe
C:\Users\Public\update.exe C:\Users\Public\
5⤵
PID:1224

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:1508

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:1512

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1620

C:\Users\Public\Music\Sample Music\backup.exe
"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
7⤵
PID:1424

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:1160

C:\Users\Public\Recorded TV\backup.exe
"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
6⤵
PID:1952

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
PID:1072

C:\Windows\update.exe
C:\Windows\update.exe C:\Windows\
4⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1656

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1932

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1772

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
066edc25e0359a6515fbc77753424a10

SHA1
4e31fa5af85bbb9d72711e523759360dc35f2c71

SHA256
518940ef56bfafbca305bf2db988cbba8ffdbdb74f91bbbf6fced81052085b55

SHA512
48c62e086f233cde072b8cc6bf632c84e3713f1c8bd680c1338f79d6368ef4430e981c4be559375a0e6f9e87225355039441f660ce3c949fb32c52427e8f5d9a

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
af1581c94124a73e37402f75ae6b0b7b

SHA1
efe07d16261e9aba0bc87a052c1c84703f3359d7

SHA256
d9920045ca3d6c29d71d40fe5b2e5bf166bb16f81e7c1a76d3c1a7ffba92d691

SHA512
06f9eefd9811d52aec17b013e957950f17d6f20cd81d00864be66eacedfaa2d046cca82b7e299d954602f03830d88bee0e3c5702722c20311a8a1910863af258

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
066edc25e0359a6515fbc77753424a10

SHA1
4e31fa5af85bbb9d72711e523759360dc35f2c71

SHA256
518940ef56bfafbca305bf2db988cbba8ffdbdb74f91bbbf6fced81052085b55

SHA512
48c62e086f233cde072b8cc6bf632c84e3713f1c8bd680c1338f79d6368ef4430e981c4be559375a0e6f9e87225355039441f660ce3c949fb32c52427e8f5d9a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
066edc25e0359a6515fbc77753424a10

SHA1
4e31fa5af85bbb9d72711e523759360dc35f2c71

SHA256
518940ef56bfafbca305bf2db988cbba8ffdbdb74f91bbbf6fced81052085b55

SHA512
48c62e086f233cde072b8cc6bf632c84e3713f1c8bd680c1338f79d6368ef4430e981c4be559375a0e6f9e87225355039441f660ce3c949fb32c52427e8f5d9a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
b758eb76215b8a64da6e14e7fed65457

SHA1
358349bd50101bd8577c42d5c13ed2e03d4c8ac1

SHA256
01b6af2bbe16d907180ab7a93d6c3131e05e0ff24e07dc275e743506b7383455

SHA512
2c6a8fc8db172c383b2ac6aeae0c664554958928390bcdac8e2d9b2bd4fcccdef5f5732b0f966c2af003c6db9b0eeffd4ceef9ed967d4eaa1e653556cd35c85e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
8fdcb3adce1bd64cb551a7efd65998c7

SHA1
a55bf0f780d7bd28328a587d9bad92278c8173e7

SHA256
4e8aa04080a50709e55b8017f508633bf0e3b3054b0d7798786dc3843abc4e2f

SHA512
ef93976f9f994e02cf8b6aaac9e6f9ea8442727ffca184ce2523a6b006e3c26654dd5823ce5776b61e9327f014243ba445fd16bae8e61e44b17b6be83ec5e84e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
8fdcb3adce1bd64cb551a7efd65998c7

SHA1
a55bf0f780d7bd28328a587d9bad92278c8173e7

SHA256
4e8aa04080a50709e55b8017f508633bf0e3b3054b0d7798786dc3843abc4e2f

SHA512
ef93976f9f994e02cf8b6aaac9e6f9ea8442727ffca184ce2523a6b006e3c26654dd5823ce5776b61e9327f014243ba445fd16bae8e61e44b17b6be83ec5e84e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8ee578556827ced6de2afa68f2eadb26

SHA1
fec0ab441405c223fbd62a1862cab6a5fda1ebff

SHA256
ab846a3ce62ae039247bd6ed595d5915dc8e0bbc84156ade6f60830a46a10a6b

SHA512
d4b689fd31237578e475e68c862070771c59b039ba761d300387e0770729ed8581a178fe2fdda731fa15c1b482ae6c7802880021c3150cd6e7b6224b0f07cb8e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b758eb76215b8a64da6e14e7fed65457

SHA1
358349bd50101bd8577c42d5c13ed2e03d4c8ac1

SHA256
01b6af2bbe16d907180ab7a93d6c3131e05e0ff24e07dc275e743506b7383455

SHA512
2c6a8fc8db172c383b2ac6aeae0c664554958928390bcdac8e2d9b2bd4fcccdef5f5732b0f966c2af003c6db9b0eeffd4ceef9ed967d4eaa1e653556cd35c85e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b758eb76215b8a64da6e14e7fed65457

SHA1
358349bd50101bd8577c42d5c13ed2e03d4c8ac1

SHA256
01b6af2bbe16d907180ab7a93d6c3131e05e0ff24e07dc275e743506b7383455

SHA512
2c6a8fc8db172c383b2ac6aeae0c664554958928390bcdac8e2d9b2bd4fcccdef5f5732b0f966c2af003c6db9b0eeffd4ceef9ed967d4eaa1e653556cd35c85e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
8ee578556827ced6de2afa68f2eadb26

SHA1
fec0ab441405c223fbd62a1862cab6a5fda1ebff

SHA256
ab846a3ce62ae039247bd6ed595d5915dc8e0bbc84156ade6f60830a46a10a6b

SHA512
d4b689fd31237578e475e68c862070771c59b039ba761d300387e0770729ed8581a178fe2fdda731fa15c1b482ae6c7802880021c3150cd6e7b6224b0f07cb8e

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
326dc0f4292bdfa84235668943b21e81

SHA1
76b49152b95e3b084d9963761f3b6ca3b5ba3f65

SHA256
ed78a5a82ced1bb004d617591e8eb9e0cec59809121b68d9d48be08dac069086

SHA512
d43b53a73fa5e09b058974b234e796ac9d6f5fd19dd7117600092a2823f4286ed34767e6e44a1a0d9f74dbc379ade0ba8a69018c97eaa76fb163f1df97f325fb

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
326dc0f4292bdfa84235668943b21e81

SHA1
76b49152b95e3b084d9963761f3b6ca3b5ba3f65

SHA256
ed78a5a82ced1bb004d617591e8eb9e0cec59809121b68d9d48be08dac069086

SHA512
d43b53a73fa5e09b058974b234e796ac9d6f5fd19dd7117600092a2823f4286ed34767e6e44a1a0d9f74dbc379ade0ba8a69018c97eaa76fb163f1df97f325fb

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3941539770\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3941539770\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
C:\backup.exe

Filesize
72KB

MD5
93d6106c1f1c628cab8745c5622bd549

SHA1
e4e26f13226edd20f9ad2c29b7ff4f2717d7c2e7

SHA256
ca4504caaea015a546d3f5ff80885f81181e0c144b26d940eb910cd7f7987624

SHA512
b19387b4279c13fa86c8a5bb5b18bdc37374550d3877053516f20dd0368c4cb371576dbe1a3b33bee5af63b75f833d8c13ca5ac0a9a206510ad5e7cfa133410e

Download Submit
C:\backup.exe

Filesize
72KB

MD5
93d6106c1f1c628cab8745c5622bd549

SHA1
e4e26f13226edd20f9ad2c29b7ff4f2717d7c2e7

SHA256
ca4504caaea015a546d3f5ff80885f81181e0c144b26d940eb910cd7f7987624

SHA512
b19387b4279c13fa86c8a5bb5b18bdc37374550d3877053516f20dd0368c4cb371576dbe1a3b33bee5af63b75f833d8c13ca5ac0a9a206510ad5e7cfa133410e

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
066edc25e0359a6515fbc77753424a10

SHA1
4e31fa5af85bbb9d72711e523759360dc35f2c71

SHA256
518940ef56bfafbca305bf2db988cbba8ffdbdb74f91bbbf6fced81052085b55

SHA512
48c62e086f233cde072b8cc6bf632c84e3713f1c8bd680c1338f79d6368ef4430e981c4be559375a0e6f9e87225355039441f660ce3c949fb32c52427e8f5d9a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
066edc25e0359a6515fbc77753424a10

SHA1
4e31fa5af85bbb9d72711e523759360dc35f2c71

SHA256
518940ef56bfafbca305bf2db988cbba8ffdbdb74f91bbbf6fced81052085b55

SHA512
48c62e086f233cde072b8cc6bf632c84e3713f1c8bd680c1338f79d6368ef4430e981c4be559375a0e6f9e87225355039441f660ce3c949fb32c52427e8f5d9a

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
af1581c94124a73e37402f75ae6b0b7b

SHA1
efe07d16261e9aba0bc87a052c1c84703f3359d7

SHA256
d9920045ca3d6c29d71d40fe5b2e5bf166bb16f81e7c1a76d3c1a7ffba92d691

SHA512
06f9eefd9811d52aec17b013e957950f17d6f20cd81d00864be66eacedfaa2d046cca82b7e299d954602f03830d88bee0e3c5702722c20311a8a1910863af258

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
af1581c94124a73e37402f75ae6b0b7b

SHA1
efe07d16261e9aba0bc87a052c1c84703f3359d7

SHA256
d9920045ca3d6c29d71d40fe5b2e5bf166bb16f81e7c1a76d3c1a7ffba92d691

SHA512
06f9eefd9811d52aec17b013e957950f17d6f20cd81d00864be66eacedfaa2d046cca82b7e299d954602f03830d88bee0e3c5702722c20311a8a1910863af258

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
066edc25e0359a6515fbc77753424a10

SHA1
4e31fa5af85bbb9d72711e523759360dc35f2c71

SHA256
518940ef56bfafbca305bf2db988cbba8ffdbdb74f91bbbf6fced81052085b55

SHA512
48c62e086f233cde072b8cc6bf632c84e3713f1c8bd680c1338f79d6368ef4430e981c4be559375a0e6f9e87225355039441f660ce3c949fb32c52427e8f5d9a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
066edc25e0359a6515fbc77753424a10

SHA1
4e31fa5af85bbb9d72711e523759360dc35f2c71

SHA256
518940ef56bfafbca305bf2db988cbba8ffdbdb74f91bbbf6fced81052085b55

SHA512
48c62e086f233cde072b8cc6bf632c84e3713f1c8bd680c1338f79d6368ef4430e981c4be559375a0e6f9e87225355039441f660ce3c949fb32c52427e8f5d9a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
b758eb76215b8a64da6e14e7fed65457

SHA1
358349bd50101bd8577c42d5c13ed2e03d4c8ac1

SHA256
01b6af2bbe16d907180ab7a93d6c3131e05e0ff24e07dc275e743506b7383455

SHA512
2c6a8fc8db172c383b2ac6aeae0c664554958928390bcdac8e2d9b2bd4fcccdef5f5732b0f966c2af003c6db9b0eeffd4ceef9ed967d4eaa1e653556cd35c85e

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
b758eb76215b8a64da6e14e7fed65457

SHA1
358349bd50101bd8577c42d5c13ed2e03d4c8ac1

SHA256
01b6af2bbe16d907180ab7a93d6c3131e05e0ff24e07dc275e743506b7383455

SHA512
2c6a8fc8db172c383b2ac6aeae0c664554958928390bcdac8e2d9b2bd4fcccdef5f5732b0f966c2af003c6db9b0eeffd4ceef9ed967d4eaa1e653556cd35c85e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
8fdcb3adce1bd64cb551a7efd65998c7

SHA1
a55bf0f780d7bd28328a587d9bad92278c8173e7

SHA256
4e8aa04080a50709e55b8017f508633bf0e3b3054b0d7798786dc3843abc4e2f

SHA512
ef93976f9f994e02cf8b6aaac9e6f9ea8442727ffca184ce2523a6b006e3c26654dd5823ce5776b61e9327f014243ba445fd16bae8e61e44b17b6be83ec5e84e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
8fdcb3adce1bd64cb551a7efd65998c7

SHA1
a55bf0f780d7bd28328a587d9bad92278c8173e7

SHA256
4e8aa04080a50709e55b8017f508633bf0e3b3054b0d7798786dc3843abc4e2f

SHA512
ef93976f9f994e02cf8b6aaac9e6f9ea8442727ffca184ce2523a6b006e3c26654dd5823ce5776b61e9327f014243ba445fd16bae8e61e44b17b6be83ec5e84e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8ee578556827ced6de2afa68f2eadb26

SHA1
fec0ab441405c223fbd62a1862cab6a5fda1ebff

SHA256
ab846a3ce62ae039247bd6ed595d5915dc8e0bbc84156ade6f60830a46a10a6b

SHA512
d4b689fd31237578e475e68c862070771c59b039ba761d300387e0770729ed8581a178fe2fdda731fa15c1b482ae6c7802880021c3150cd6e7b6224b0f07cb8e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
8ee578556827ced6de2afa68f2eadb26

SHA1
fec0ab441405c223fbd62a1862cab6a5fda1ebff

SHA256
ab846a3ce62ae039247bd6ed595d5915dc8e0bbc84156ade6f60830a46a10a6b

SHA512
d4b689fd31237578e475e68c862070771c59b039ba761d300387e0770729ed8581a178fe2fdda731fa15c1b482ae6c7802880021c3150cd6e7b6224b0f07cb8e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b758eb76215b8a64da6e14e7fed65457

SHA1
358349bd50101bd8577c42d5c13ed2e03d4c8ac1

SHA256
01b6af2bbe16d907180ab7a93d6c3131e05e0ff24e07dc275e743506b7383455

SHA512
2c6a8fc8db172c383b2ac6aeae0c664554958928390bcdac8e2d9b2bd4fcccdef5f5732b0f966c2af003c6db9b0eeffd4ceef9ed967d4eaa1e653556cd35c85e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
b758eb76215b8a64da6e14e7fed65457

SHA1
358349bd50101bd8577c42d5c13ed2e03d4c8ac1

SHA256
01b6af2bbe16d907180ab7a93d6c3131e05e0ff24e07dc275e743506b7383455

SHA512
2c6a8fc8db172c383b2ac6aeae0c664554958928390bcdac8e2d9b2bd4fcccdef5f5732b0f966c2af003c6db9b0eeffd4ceef9ed967d4eaa1e653556cd35c85e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
8ee578556827ced6de2afa68f2eadb26

SHA1
fec0ab441405c223fbd62a1862cab6a5fda1ebff

SHA256
ab846a3ce62ae039247bd6ed595d5915dc8e0bbc84156ade6f60830a46a10a6b

SHA512
d4b689fd31237578e475e68c862070771c59b039ba761d300387e0770729ed8581a178fe2fdda731fa15c1b482ae6c7802880021c3150cd6e7b6224b0f07cb8e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
8ee578556827ced6de2afa68f2eadb26

SHA1
fec0ab441405c223fbd62a1862cab6a5fda1ebff

SHA256
ab846a3ce62ae039247bd6ed595d5915dc8e0bbc84156ade6f60830a46a10a6b

SHA512
d4b689fd31237578e475e68c862070771c59b039ba761d300387e0770729ed8581a178fe2fdda731fa15c1b482ae6c7802880021c3150cd6e7b6224b0f07cb8e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
7d820cbc551ace311a1c49f40c019f32

SHA1
50e62a4e962898c3642c541694a80b544be75841

SHA256
a6d09a73dbb6f76876930c85cdaaa6888649c782daeb61f08eba8a977c9c9cba

SHA512
28d9c15431c8fdb36a09a36a72b774efeeab3de4a768dda9ee4d35d814150dee5cf6b1b9889faa50d62191e37c4b96f0e83c5969b48a742b0f214737724dcb14

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
326dc0f4292bdfa84235668943b21e81

SHA1
76b49152b95e3b084d9963761f3b6ca3b5ba3f65

SHA256
ed78a5a82ced1bb004d617591e8eb9e0cec59809121b68d9d48be08dac069086

SHA512
d43b53a73fa5e09b058974b234e796ac9d6f5fd19dd7117600092a2823f4286ed34767e6e44a1a0d9f74dbc379ade0ba8a69018c97eaa76fb163f1df97f325fb

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
326dc0f4292bdfa84235668943b21e81

SHA1
76b49152b95e3b084d9963761f3b6ca3b5ba3f65

SHA256
ed78a5a82ced1bb004d617591e8eb9e0cec59809121b68d9d48be08dac069086

SHA512
d43b53a73fa5e09b058974b234e796ac9d6f5fd19dd7117600092a2823f4286ed34767e6e44a1a0d9f74dbc379ade0ba8a69018c97eaa76fb163f1df97f325fb

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
647f13313c3d41ea31178126956f9034

SHA1
cbd457d8b3712a8281f04b0efc9bee501a130848

SHA256
2a751b36d319c57052a54f34910abea6df3eefbac6e1987353f6b045d345720c

SHA512
593b385c384309cad6f82b86076e218d66eaa9fdd015728d97c2ab8827148d4388c49a7e4fdaadfcc2e47f48ef130a0b20cbff054b8310e77f7f0b626cdcb6ec

Download Submit
\Users\Admin\AppData\Local\Temp\3941539770\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\3941539770\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
6461e1295cf12b53d415fd37b806970e

SHA1
b75e03fc843b7a1455092daddeacc33c905314cd

SHA256
5772f111d124d7928d4dc1423bb2dfa58fac8d024c44091c6eacfa3df915e40d

SHA512
21254b2fa8d69432b0442e771949cb1aeb2e6c8543d01cd760b415c1a47fb0378139e970cf411a238c49a2131d48cfc040026d749f3af7b00e88ee90e361ab2d

Download Submit
memory/316-135-0x0000000000000000-mapping.dmp

Download
memory/316-236-0x0000000000000000-mapping.dmp

Download
memory/320-269-0x0000000000000000-mapping.dmp

Download
memory/456-179-0x0000000000000000-mapping.dmp

Download
memory/524-272-0x0000000000000000-mapping.dmp

Download
memory/548-200-0x0000000000000000-mapping.dmp

Download
memory/552-278-0x0000000000000000-mapping.dmp

Download
memory/616-227-0x0000000000000000-mapping.dmp

Download
memory/676-185-0x0000000000000000-mapping.dmp

Download
memory/684-155-0x0000000000000000-mapping.dmp

Download
memory/756-70-0x0000000000000000-mapping.dmp

Download
memory/788-287-0x0000000000000000-mapping.dmp

Download
memory/788-94-0x0000000000000000-mapping.dmp

Download
memory/796-242-0x0000000000000000-mapping.dmp

Download
memory/828-233-0x0000000000000000-mapping.dmp

Download
memory/860-299-0x0000000000000000-mapping.dmp

Download
memory/892-197-0x0000000000000000-mapping.dmp

Download
memory/928-293-0x0000000000000000-mapping.dmp

Download
memory/940-64-0x0000000000000000-mapping.dmp

Download
memory/944-254-0x0000000000000000-mapping.dmp

Download
memory/996-141-0x0000000000000000-mapping.dmp

Download
memory/1080-58-0x0000000000000000-mapping.dmp

Download
memory/1104-182-0x0000000000000000-mapping.dmp

Download
memory/1132-212-0x0000000000000000-mapping.dmp

Download
memory/1148-221-0x0000000000000000-mapping.dmp

Download
memory/1160-168-0x0000000000000000-mapping.dmp

Download
memory/1168-245-0x0000000000000000-mapping.dmp

Download
memory/1212-194-0x0000000000000000-mapping.dmp

Download
memory/1268-248-0x0000000000000000-mapping.dmp

Download
memory/1292-98-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-118-0x0000000074BA1000-0x0000000074BA3000-memory.dmp

Filesize
8KB

Download
memory/1300-263-0x0000000000000000-mapping.dmp

Download
memory/1300-174-0x0000000000000000-mapping.dmp

Download
memory/1416-290-0x0000000000000000-mapping.dmp

Download
memory/1492-218-0x0000000000000000-mapping.dmp

Download
memory/1492-114-0x0000000000000000-mapping.dmp

Download
memory/1504-121-0x0000000000000000-mapping.dmp

Download
memory/1524-284-0x0000000000000000-mapping.dmp

Download
memory/1540-281-0x0000000000000000-mapping.dmp

Download
memory/1596-206-0x0000000000000000-mapping.dmp

Download
memory/1616-209-0x0000000000000000-mapping.dmp

Download
memory/1636-302-0x0000000000000000-mapping.dmp

Download
memory/1656-107-0x0000000000000000-mapping.dmp

Download
memory/1708-82-0x0000000000000000-mapping.dmp

Download
memory/1708-191-0x0000000000000000-mapping.dmp

Download
memory/1720-266-0x0000000000000000-mapping.dmp

Download
memory/1752-188-0x0000000000000000-mapping.dmp

Download
memory/1768-275-0x0000000000000000-mapping.dmp

Download
memory/1772-88-0x0000000000000000-mapping.dmp

Download
memory/1776-260-0x0000000000000000-mapping.dmp

Download
memory/1804-239-0x0000000000000000-mapping.dmp

Download
memory/1812-203-0x0000000000000000-mapping.dmp

Download
memory/1816-100-0x0000000000000000-mapping.dmp

Download
memory/1820-161-0x0000000000000000-mapping.dmp

Download
memory/1828-148-0x0000000000000000-mapping.dmp

Download
memory/1832-128-0x0000000000000000-mapping.dmp

Download
memory/1872-230-0x0000000000000000-mapping.dmp

Download
memory/1932-76-0x0000000000000000-mapping.dmp

Download
memory/1956-311-0x0000000000000000-mapping.dmp

Download
memory/1968-224-0x0000000000000000-mapping.dmp

Download
memory/1972-308-0x0000000000000000-mapping.dmp

Download
memory/1984-215-0x0000000000000000-mapping.dmp

Download
memory/1996-305-0x0000000000000000-mapping.dmp

Download
memory/2004-296-0x0000000000000000-mapping.dmp

Download
memory/2016-251-0x0000000000000000-mapping.dmp

Download
memory/2028-257-0x0000000000000000-mapping.dmp

Download