7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5

Analysis

max time kernel
171s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe
Size

72KB
MD5

43aee6febc785e84334074a84a88ccaf
SHA1

7d38cf3c5cff50d7afed3868e7979e0aa2afae7b
SHA256

7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5
SHA512

07adb3d75d3430a9b2474481492ae5be6886b1d1ec82652e2c07658a2b7ffc4b85094a4ad71a56dde076eae83f26610cbc2b69b9d4adf95a8645d580969515fb
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd/+I97:HeT7BVwxfvqguKp+S7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exeSystem Restore.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exeupdate.exebackup.exebackup.exedata.exebackup.exeSystem Restore.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
5096	backup.exe
5084	backup.exe
4304	backup.exe
1404	backup.exe
4172	backup.exe
1080	backup.exe
1160	backup.exe
244	backup.exe
4148	update.exe
3680	backup.exe
3516	System Restore.exe
3404	backup.exe
8	backup.exe
460	backup.exe
3632	backup.exe
3816	backup.exe
2044	backup.exe
1144	backup.exe
2492	backup.exe
2148	backup.exe
4024	backup.exe
784	System Restore.exe
2116	System Restore.exe
3140	backup.exe
640	backup.exe
3472	backup.exe
3764	backup.exe
4316	backup.exe
1028	backup.exe
2608	backup.exe
4420	backup.exe
3124	update.exe
3672	backup.exe
600	backup.exe
2396	backup.exe
2064	backup.exe
4780	update.exe
3736	backup.exe
4928	backup.exe
5044	backup.exe
2392	backup.exe
4184	backup.exe
4908	update.exe
896	data.exe
4676	backup.exe
3108	backup.exe
2988	backup.exe
984	backup.exe
1820	backup.exe
4892	backup.exe
4876	backup.exe
4116	backup.exe
4036	backup.exe
4736	backup.exe
2728	update.exe
4268	backup.exe
4180	backup.exe
1900	update.exe
1736	backup.exe
3592	backup.exe
1308	backup.exe
684	backup.exe
3052	backup.exe
332	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exedata.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\System Restore.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\System Restore.exe	System Restore.exe

Drops file in Windows directory 22 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\AppReadiness\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\Programs\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\CustomSDB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\de-DE\update.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\backup.exe	backup.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\System Restore.exe	backup.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backup.exe	backup.exe
File opened for modification	C:\Windows\apppatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\update.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe

pid process

4772 7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe
5096	backup.exe
5084	backup.exe
4304	backup.exe
1404	backup.exe
4172	backup.exe
1080	backup.exe
1160	backup.exe
244	backup.exe
4148	update.exe
3680	backup.exe
3516	System Restore.exe
3404	backup.exe
8	backup.exe
460	backup.exe
3632	backup.exe
3816	backup.exe
2044	backup.exe
1144	backup.exe
2492	backup.exe
2148	backup.exe
4024	backup.exe
784	System Restore.exe
2116	System Restore.exe
3140	backup.exe
640	backup.exe
3472	backup.exe
3764	backup.exe
4316	backup.exe
1028	backup.exe
2608	backup.exe
4420	backup.exe
3124	update.exe
3672	backup.exe
600	backup.exe
2396	backup.exe
2064	backup.exe
4780	update.exe
3736	backup.exe
4928	backup.exe
5044	backup.exe
2392	backup.exe
4184	backup.exe
4908	update.exe
896	data.exe
4676	backup.exe
3108	backup.exe
2988	backup.exe
984	backup.exe
1820	backup.exe
4892	backup.exe
4876	backup.exe
4116	backup.exe
4036	backup.exe
4736	backup.exe
2728	update.exe
4268	backup.exe
4180	backup.exe
1900	update.exe
1736	backup.exe
3592	backup.exe
1308	backup.exe
684	backup.exe
3052	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 4772 wrote to memory of 5096	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 5096	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 5096	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 5084	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 5084	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 5084	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 4304	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 4304	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 4304	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1404	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1404	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1404	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 4172	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 4172	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 4172	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1080	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1080	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1080	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1160	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1160	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 4772 wrote to memory of 1160	4772	7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe	backup.exe
PID 5096 wrote to memory of 244	5096	backup.exe	backup.exe
PID 5096 wrote to memory of 244	5096	backup.exe	backup.exe
PID 5096 wrote to memory of 244	5096	backup.exe	backup.exe
PID 244 wrote to memory of 4148	244	backup.exe	update.exe
PID 244 wrote to memory of 4148	244	backup.exe	update.exe
PID 244 wrote to memory of 4148	244	backup.exe	update.exe
PID 244 wrote to memory of 3680	244	backup.exe	backup.exe
PID 244 wrote to memory of 3680	244	backup.exe	backup.exe
PID 244 wrote to memory of 3680	244	backup.exe	backup.exe
PID 244 wrote to memory of 3516	244	backup.exe	System Restore.exe
PID 244 wrote to memory of 3516	244	backup.exe	System Restore.exe
PID 244 wrote to memory of 3516	244	backup.exe	System Restore.exe
PID 3516 wrote to memory of 3404	3516	System Restore.exe	backup.exe
PID 3516 wrote to memory of 3404	3516	System Restore.exe	backup.exe
PID 3516 wrote to memory of 3404	3516	System Restore.exe	backup.exe
PID 3404 wrote to memory of 8	3404	backup.exe	backup.exe
PID 3404 wrote to memory of 8	3404	backup.exe	backup.exe
PID 3404 wrote to memory of 8	3404	backup.exe	backup.exe
PID 3516 wrote to memory of 460	3516	System Restore.exe	backup.exe
PID 3516 wrote to memory of 460	3516	System Restore.exe	backup.exe
PID 3516 wrote to memory of 460	3516	System Restore.exe	backup.exe
PID 460 wrote to memory of 3632	460	backup.exe	backup.exe
PID 460 wrote to memory of 3632	460	backup.exe	backup.exe
PID 460 wrote to memory of 3632	460	backup.exe	backup.exe
PID 460 wrote to memory of 3816	460	backup.exe	backup.exe
PID 460 wrote to memory of 3816	460	backup.exe	backup.exe
PID 460 wrote to memory of 3816	460	backup.exe	backup.exe
PID 3816 wrote to memory of 2044	3816	backup.exe	backup.exe
PID 3816 wrote to memory of 2044	3816	backup.exe	backup.exe
PID 3816 wrote to memory of 2044	3816	backup.exe	backup.exe
PID 3816 wrote to memory of 1144	3816	backup.exe	backup.exe
PID 3816 wrote to memory of 1144	3816	backup.exe	backup.exe
PID 3816 wrote to memory of 1144	3816	backup.exe	backup.exe
PID 1144 wrote to memory of 2492	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 2492	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 2492	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 2148	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 2148	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 2148	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 4024	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 4024	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 4024	1144	backup.exe	backup.exe
PID 1144 wrote to memory of 784	1144	backup.exe	System Restore.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeSystem Restore.exebackup.exeupdate.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe
"C:\Users\Admin\AppData\Local\Temp\7e344d7b4b0c0c06558981158c8b75d576de1b3d72446d110863401559968ed5.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\2689094358\backup.exe
C:\Users\Admin\AppData\Local\Temp\2689094358\backup.exe C:\Users\Admin\AppData\Local\Temp\2689094358\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244

C:\odt\update.exe
C:\odt\update.exe C:\odt\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4148

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Program Files\System Restore.exe
"C:\Program Files\System Restore.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3404

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:8

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:460

C:\Program Files\Common Files\DESIGNER\backup.exe
"C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Program Files\Common Files\microsoft shared\backup.exe
"C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3816

C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
"C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Program Files\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4024

C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:784

C:\Program Files\Common Files\microsoft shared\ink\de-DE\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\ink\de-DE\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:640

C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4316

C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:600

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2396

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3736

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4928

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2392

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4184

C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4908

C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe
"C:\Program Files\Common Files\microsoft shared\ink\he-IL\data.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896

C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\it-IT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:984

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ja-JP\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ko-KR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4892

C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lt-LT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4036

C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\nb-NO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4736

C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\microsoft shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pl-PL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4268

C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-BR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\pt-PT\update.exe" C:\Program Files\Common Files\microsoft shared\ink\pt-PT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ro-RO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sk-SK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684

C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\sv-SE\
8⤵
- Executes dropped EXE
PID:332

C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\th-TH\
8⤵
PID:3768

C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\tr-TR\
8⤵
PID:3520

C:\Program Files\Common Files\microsoft shared\ink\uk-UA\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\ink\uk-UA\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\uk-UA\
8⤵
PID:4888

C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe
"C:\Program Files\Common Files\microsoft shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-CN\
8⤵
- System policy modification
PID:716

C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\microsoft shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\zh-TW\
8⤵
PID:1752

C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
7⤵
- System policy modification
PID:3312

C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
PID:2868

C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4536

C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
8⤵
PID:2668

C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
8⤵
PID:4664

C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
8⤵
PID:3120

C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4396

C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
"C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1376

C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe
"C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\data.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
8⤵
PID:3504

C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:4980

C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
"C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
7⤵
PID:1856

C:\Program Files\Common Files\microsoft shared\Stationery\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\Stationery\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
7⤵
PID:1004

C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
"C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
7⤵
- Drops file in Program Files directory
PID:2608

C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
8⤵
PID:2588

C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe
"C:\Program Files\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
7⤵
- Drops file in Program Files directory
PID:4920

C:\Program Files\Common Files\microsoft shared\Triedit\en-US\System Restore.exe
"C:\Program Files\Common Files\microsoft shared\Triedit\en-US\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2552

C:\Program Files\Common Files\microsoft shared\VC\backup.exe
"C:\Program Files\Common Files\microsoft shared\VC\backup.exe" C:\Program Files\Common Files\microsoft shared\VC\
7⤵
PID:760

C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
"C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1116

C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
7⤵
PID:2396

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
8⤵
PID:2684

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
9⤵
PID:4252

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
PID:3440

C:\Program Files\Common Files\System\data.exe
"C:\Program Files\Common Files\System\data.exe" C:\Program Files\Common Files\System\
6⤵
- Modifies visibility of file extensions in Explorer
PID:3736

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:3960

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
PID:5044

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
PID:2040

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
- System policy modification
PID:2084

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
PID:3672

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
PID:776

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:4332

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1436

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:4116

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
- Modifies visibility of file extensions in Explorer
PID:2420

C:\Program Files\Common Files\System\fr-FR\backup.exe
"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
PID:4924

C:\Program Files\Common Files\System\it-IT\data.exe
"C:\Program Files\Common Files\System\it-IT\data.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:3556

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
PID:4812

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:3716

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
PID:460

C:\Program Files\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:3844

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
PID:2424

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4248

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
PID:4652

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
- System policy modification
PID:3896

C:\Program Files\Common Files\System\Ole DB\data.exe
"C:\Program Files\Common Files\System\Ole DB\data.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
- Drops file in Program Files directory
PID:3624

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4756

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:2104

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:3668

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
PID:3644

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
PID:4432

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
PID:1508

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:2664

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
PID:3864

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
- System policy modification
PID:4036

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
PID:696

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
- Modifies visibility of file extensions in Explorer
PID:4452

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
PID:1424

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
PID:1488

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2672

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\data.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
PID:3252

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
PID:3080

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
PID:776

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
PID:1908

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
10⤵
- Drops file in Program Files directory
PID:4060

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
11⤵
- System policy modification
PID:4344

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
- System policy modification
PID:1324

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Drops file in Program Files directory
PID:3212

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:116

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:4264

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:4656

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:412

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:4100

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
- System policy modification
PID:3940

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:4972

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
- Drops file in Program Files directory
- System policy modification
PID:1928

C:\Program Files\Java\jdk1.8.0_66\System Restore.exe
"C:\Program Files\Java\jdk1.8.0_66\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\
6⤵
- Drops file in Program Files directory
PID:1692

C:\Program Files\Java\jdk1.8.0_66\bin\System Restore.exe
"C:\Program Files\Java\jdk1.8.0_66\bin\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
7⤵
- Modifies visibility of file extensions in Explorer
PID:3608

C:\Program Files\Java\jdk1.8.0_66\db\update.exe
"C:\Program Files\Java\jdk1.8.0_66\db\update.exe" C:\Program Files\Java\jdk1.8.0_66\db\
7⤵
- Drops file in Program Files directory
PID:4668

C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
8⤵
PID:504

C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
8⤵
PID:2316

C:\Program Files\Java\jdk1.8.0_66\include\System Restore.exe
"C:\Program Files\Java\jdk1.8.0_66\include\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\include\
7⤵
- System policy modification
PID:3900

C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\
8⤵
- System policy modification
PID:2868

C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\
9⤵
PID:4172

C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\
7⤵
PID:2576

C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\
8⤵
PID:4112

C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\
9⤵
PID:4484

C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\
9⤵
PID:4868

C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\
9⤵
PID:4024

C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\
8⤵
PID:1004

C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\
9⤵
PID:468

C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:5068

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\System Restore.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\System Restore.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4560

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\
9⤵
- Modifies visibility of file extensions in Explorer
PID:4144

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\data.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\data.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
10⤵
PID:3644

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\
10⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:504

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe
"C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\
9⤵
PID:936

C:\Program Files\Java\jre1.8.0_66\update.exe
"C:\Program Files\Java\jre1.8.0_66\update.exe" C:\Program Files\Java\jre1.8.0_66\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1856

C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
7⤵
- Drops file in Program Files directory
PID:4780

C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
8⤵
PID:3448

C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\plugin2\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\plugin2\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4280

C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe
"C:\Program Files\Java\jre1.8.0_66\bin\server\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\server\
8⤵
- System policy modification
PID:2664

C:\Program Files\Java\jre1.8.0_66\lib\backup.exe
"C:\Program Files\Java\jre1.8.0_66\lib\backup.exe" C:\Program Files\Java\jre1.8.0_66\lib\
7⤵
- Drops file in Program Files directory
PID:4320

C:\Program Files\Java\jre1.8.0_66\lib\amd64\data.exe
"C:\Program Files\Java\jre1.8.0_66\lib\amd64\data.exe" C:\Program Files\Java\jre1.8.0_66\lib\amd64\
8⤵
- Modifies visibility of file extensions in Explorer
PID:3464

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:4252

C:\Program Files\Microsoft Office\Office16\backup.exe
"C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
6⤵
PID:4116

C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe
"C:\Program Files\Microsoft Office\PackageManifests\System Restore.exe" C:\Program Files\Microsoft Office\PackageManifests\
6⤵
PID:1092

C:\Program Files\Microsoft Office\root\backup.exe
"C:\Program Files\Microsoft Office\root\backup.exe" C:\Program Files\Microsoft Office\root\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:828

C:\Program Files\Microsoft Office\root\Client\backup.exe
"C:\Program Files\Microsoft Office\root\Client\backup.exe" C:\Program Files\Microsoft Office\root\Client\
7⤵
- Modifies visibility of file extensions in Explorer
PID:4660

C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\
7⤵
PID:4376

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\
8⤵
PID:4336

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\update.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\update.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\
8⤵
PID:4588

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe
"C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\backup.exe" C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\
8⤵
- Modifies visibility of file extensions in Explorer
PID:456

C:\Program Files\Microsoft Office\root\fre\backup.exe
"C:\Program Files\Microsoft Office\root\fre\backup.exe" C:\Program Files\Microsoft Office\root\fre\
7⤵
PID:2704

C:\Program Files\Microsoft Office\root\Integration\backup.exe
"C:\Program Files\Microsoft Office\root\Integration\backup.exe" C:\Program Files\Microsoft Office\root\Integration\
7⤵
PID:4424

C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe
"C:\Program Files\Microsoft Office\root\Integration\Addons\backup.exe" C:\Program Files\Microsoft Office\root\Integration\Addons\
8⤵
PID:1568

C:\Program Files\Microsoft Office\root\Licenses\backup.exe
"C:\Program Files\Microsoft Office\root\Licenses\backup.exe" C:\Program Files\Microsoft Office\root\Licenses\
7⤵
PID:1464

C:\Program Files\Microsoft Office\root\Licenses16\backup.exe
"C:\Program Files\Microsoft Office\root\Licenses16\backup.exe" C:\Program Files\Microsoft Office\root\Licenses16\
7⤵
PID:684

C:\Program Files\Microsoft Office\root\loc\backup.exe
"C:\Program Files\Microsoft Office\root\loc\backup.exe" C:\Program Files\Microsoft Office\root\loc\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1568

C:\Program Files\Microsoft Office\root\Office15\backup.exe
"C:\Program Files\Microsoft Office\root\Office15\backup.exe" C:\Program Files\Microsoft Office\root\Office15\
7⤵
PID:1512

C:\Program Files\Microsoft Office\Updates\update.exe
"C:\Program Files\Microsoft Office\Updates\update.exe" C:\Program Files\Microsoft Office\Updates\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2496

C:\Program Files\Microsoft Office\Updates\Apply\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\
7⤵
PID:3632

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\
8⤵
PID:3924

C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe
"C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe" C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\B11EF506-7DE1-455F-8E20-67264DD4AF60\
9⤵
PID:1376

C:\Program Files\Microsoft Office\Updates\Download\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1080

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\
8⤵
PID:3792

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\backup.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B11EF506-7DE1-455F-8E20-67264DD4AF60\
9⤵
PID:2588

C:\Program Files\Microsoft Office 15\backup.exe
"C:\Program Files\Microsoft Office 15\backup.exe" C:\Program Files\Microsoft Office 15\
5⤵
PID:3504

C:\Program Files\Microsoft Office 15\ClientX64\backup.exe
"C:\Program Files\Microsoft Office 15\ClientX64\backup.exe" C:\Program Files\Microsoft Office 15\ClientX64\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1548

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
- Drops file in Program Files directory
PID:952

C:\Program Files\Mozilla Firefox\browser\backup.exe
"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
6⤵
PID:1976

C:\Program Files\Mozilla Firefox\browser\features\backup.exe
"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
7⤵
- System policy modification
PID:2104

C:\Program Files\Mozilla Firefox\browser\VisualElements\System Restore.exe
"C:\Program Files\Mozilla Firefox\browser\VisualElements\System Restore.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
7⤵
PID:4336

C:\Program Files\Mozilla Firefox\defaults\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
6⤵
- System policy modification
PID:4172

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
7⤵
PID:4756

C:\Program Files\MSBuild\data.exe
"C:\Program Files\MSBuild\data.exe" C:\Program Files\MSBuild\
5⤵
PID:4516

C:\Program Files\MSBuild\Microsoft\backup.exe
"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
6⤵
PID:3412

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
7⤵
- Modifies visibility of file extensions in Explorer
PID:900

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
8⤵
PID:896

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
8⤵
PID:4784

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
- System policy modification
PID:4504

C:\Program Files\Reference Assemblies\Microsoft\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
6⤵
PID:2304

C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:3632

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:904

C:\Program Files (x86)\Adobe\System Restore.exe
"C:\Program Files (x86)\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\
5⤵
- System policy modification
PID:896

C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
6⤵
- Drops file in Program Files directory
PID:3108

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
7⤵
PID:2948

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:5008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
8⤵
PID:3484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
9⤵
PID:4376

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
8⤵
PID:4536

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
9⤵
PID:4860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4256

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
8⤵
PID:1768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4268

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\
9⤵
PID:2524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\
8⤵
PID:648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2516

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\
8⤵
PID:1624

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\
8⤵
PID:1480

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\
9⤵
PID:1552

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\
8⤵
PID:4320

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\
9⤵
PID:3492

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:3144

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\
9⤵
PID:3464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\data.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\data.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:4252

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\
9⤵
PID:456

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\
10⤵
PID:3816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
PID:3468

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\
9⤵
PID:4956

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\
8⤵
PID:4864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\
9⤵
PID:3824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2812

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\
8⤵
PID:4116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:1516

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
8⤵
PID:3900

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
9⤵
PID:204

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
8⤵
PID:5108

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\
8⤵
PID:3248

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\
9⤵
- Drops file in Program Files directory
PID:4284

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\
10⤵
PID:4368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\
10⤵
- Drops file in Program Files directory
PID:2728

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\System Restore.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
- System policy modification
PID:2304

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
- System policy modification
PID:2064

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:204

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\
7⤵
PID:4452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\
8⤵
PID:1588

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Drops file in Program Files directory
PID:4984

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
PID:216

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
PID:3468

C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
7⤵
- System policy modification
PID:3756

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:4012

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
7⤵
- System policy modification
PID:4476

C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
8⤵
PID:4044

C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
7⤵
PID:4196

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4148

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\
9⤵
PID:3864

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\
10⤵
- Modifies visibility of file extensions in Explorer
PID:1484

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\
10⤵
- Drops file in Program Files directory
- System policy modification
PID:1652

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\
11⤵
PID:4156

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\
11⤵
PID:4972

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\
12⤵
PID:3664

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\
13⤵
PID:4816

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\
14⤵
- Modifies visibility of file extensions in Explorer
PID:1476

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\
14⤵
- System policy modification
PID:4060

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\
14⤵
PID:1892

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\
13⤵
- System policy modification
PID:4292

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\
14⤵
PID:4428

C:\Program Files (x86)\Common Files\Java\backup.exe
"C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
6⤵
PID:1116

C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
7⤵
PID:1080

C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\
6⤵
PID:3244

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\
7⤵
PID:2704

C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\
7⤵
PID:2200

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\
7⤵
- Drops file in Program Files directory
PID:3680

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\
8⤵
PID:4712

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\
8⤵
PID:1404

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\
8⤵
PID:2552

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
PID:2492

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
PID:4460

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\data.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\data.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\
8⤵
PID:3608

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:3868

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\
7⤵
PID:4184

C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\
8⤵
PID:3816

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\
7⤵
- System policy modification
PID:3652

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1804

C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\
7⤵
PID:2864

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\
7⤵
PID:3844

C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:4676

C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1944

C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:4272

C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files (x86)\Common Files\Microsoft Shared\VC\
7⤵
PID:2400

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:4436

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
PID:2524

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:1072

C:\Program Files (x86)\Common Files\System\ado\de-DE\System Restore.exe
"C:\Program Files (x86)\Common Files\System\ado\de-DE\System Restore.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
8⤵
PID:3944

C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
8⤵
PID:1412

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
8⤵
PID:3752

C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
8⤵
PID:5032

C:\Program Files (x86)\Common Files\System\ado\it-IT\update.exe
"C:\Program Files (x86)\Common Files\System\ado\it-IT\update.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
8⤵
PID:3756

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
PID:4272

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:984

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
PID:1640

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:4408

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
- Drops file in Program Files directory
PID:1256

C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
7⤵
PID:4860

C:\Program Files (x86)\Google\Update\Download\backup.exe
"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
7⤵
PID:4432

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
8⤵
PID:3916

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
9⤵
PID:4768

C:\Program Files (x86)\Google\Update\Install\backup.exe
"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
7⤵
PID:1488

C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe
"C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{4CA8DFAB-80A0-43FC-AC78-FBACDED770CF}\
8⤵
PID:3792

C:\Program Files (x86)\Google\Update\Offline\backup.exe
"C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
7⤵
PID:3232

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:1464

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
PID:3916

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:3712

C:\Program Files (x86)\Internet Explorer\es-ES\System Restore.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\System Restore.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
6⤵
PID:2148

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
6⤵
PID:4708

C:\Program Files (x86)\Internet Explorer\images\backup.exe
"C:\Program Files (x86)\Internet Explorer\images\backup.exe" C:\Program Files (x86)\Internet Explorer\images\
6⤵
- System policy modification
PID:4504

C:\Program Files (x86)\Internet Explorer\it-IT\update.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\update.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
6⤵
PID:3664

C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
6⤵
PID:3332

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
6⤵
PID:4116

C:\Program Files (x86)\Microsoft\update.exe
"C:\Program Files (x86)\Microsoft\update.exe" C:\Program Files (x86)\Microsoft\
5⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\backup.exe" C:\Program Files (x86)\Microsoft\Edge\
6⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\
7⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\
8⤵
- Drops file in Program Files directory
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\System Restore.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\System Restore.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\
9⤵
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\
10⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\
10⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\backup.exe" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\
9⤵
PID:3924

C:\Program Files (x86)\Microsoft.NET\backup.exe
"C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
5⤵
- Drops file in Program Files directory
- System policy modification
PID:2608

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1888

C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
6⤵
- System policy modification
PID:1736

C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
5⤵
PID:3068

C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
6⤵
PID:4752

C:\Program Files (x86)\MSBuild\backup.exe
"C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
5⤵
PID:2752

C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\
6⤵
- Drops file in Program Files directory
PID:3656

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\
7⤵
- Drops file in Program Files directory
PID:4748

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
8⤵
PID:2492

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
8⤵
PID:3668

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
PID:4040

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
PID:1900

C:\Users\Admin\3D Objects\backup.exe
"C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
6⤵
PID:1796

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
PID:2496

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
- System policy modification
PID:1716

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:3332

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:396

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:1976

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:3260

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:928

C:\Users\Admin\OneDrive\backup.exe
C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
6⤵
PID:4648

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2260

C:\Users\Admin\Pictures\Camera Roll\System Restore.exe
"C:\Users\Admin\Pictures\Camera Roll\System Restore.exe" C:\Users\Admin\Pictures\Camera Roll\
7⤵
- System policy modification
PID:3212

C:\Users\Admin\Pictures\Saved Pictures\backup.exe
"C:\Users\Admin\Pictures\Saved Pictures\backup.exe" C:\Users\Admin\Pictures\Saved Pictures\
7⤵
- Modifies visibility of file extensions in Explorer
PID:5108

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
PID:2000

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:924

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
PID:4272

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:3764

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
- System policy modification
PID:1120

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:408

C:\Users\Public\Music\update.exe
C:\Users\Public\Music\update.exe C:\Users\Public\Music\
6⤵
- System policy modification
PID:3664

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:4316

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
PID:3180

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Drops file in Windows directory
PID:5016

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
- Modifies visibility of file extensions in Explorer
PID:2728

C:\Windows\appcompat\backup.exe
C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
5⤵
- Drops file in Windows directory
PID:1704

C:\Windows\appcompat\appraiser\backup.exe
C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
6⤵
- Drops file in Windows directory
PID:1324

C:\Windows\appcompat\appraiser\Telemetry\System Restore.exe
"C:\Windows\appcompat\appraiser\Telemetry\System Restore.exe" C:\Windows\appcompat\appraiser\Telemetry\
7⤵
- Modifies visibility of file extensions in Explorer
PID:3920

C:\Windows\appcompat\encapsulation\backup.exe
C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
6⤵
PID:4476

C:\Windows\appcompat\Programs\backup.exe
C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
6⤵
PID:4016

C:\Windows\apppatch\backup.exe
C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
5⤵
- Drops file in Windows directory
PID:3764

C:\Windows\apppatch\AppPatch64\backup.exe
C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
6⤵
- System policy modification
PID:4196

C:\Windows\apppatch\Custom\backup.exe
C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
6⤵
- Drops file in Windows directory
PID:2816

C:\Windows\apppatch\Custom\Custom64\backup.exe
C:\Windows\apppatch\Custom\Custom64\backup.exe C:\Windows\apppatch\Custom\Custom64\
7⤵
PID:5084

C:\Windows\apppatch\CustomSDB\backup.exe
C:\Windows\apppatch\CustomSDB\backup.exe C:\Windows\apppatch\CustomSDB\
6⤵
PID:4520

C:\Windows\apppatch\de-DE\update.exe
C:\Windows\apppatch\de-DE\update.exe C:\Windows\apppatch\de-DE\
6⤵
PID:1704

C:\Windows\apppatch\en-US\backup.exe
C:\Windows\apppatch\en-US\backup.exe C:\Windows\apppatch\en-US\
6⤵
PID:4424

C:\Windows\apppatch\es-ES\backup.exe
C:\Windows\apppatch\es-ES\backup.exe C:\Windows\apppatch\es-ES\
6⤵
PID:2764

C:\Windows\AppReadiness\backup.exe
C:\Windows\AppReadiness\backup.exe C:\Windows\AppReadiness\
5⤵
PID:720

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
- Drops file in Windows directory
PID:376

C:\Windows\assembly\GAC\backup.exe
C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
6⤵
- Drops file in Windows directory
PID:4872

C:\Windows\assembly\GAC\ADODB\backup.exe
C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
7⤵
- Drops file in Windows directory
PID:1640

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\update.exe
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
- Modifies visibility of file extensions in Explorer
PID:980

C:\Windows\assembly\GAC\Extensibility\backup.exe
C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
7⤵
- Drops file in Windows directory
PID:644

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4304

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4172

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
dec91de948843a8bd11926c3fd4d77f9

SHA1
a831287c37679cebf67d0634716dc48552d90ece

SHA256
59126fa2641a6960daaec8949e332adbd58e1195e95953e467959e28d5ffea1c

SHA512
5d530ccc426e5049abcb3929423f95477019cf177aadec99009f6e5297d082d910c736722f9dbb0ef8f0467d93a6e59c6b34ca758c3bce45fd0c126c795f378a

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
dec91de948843a8bd11926c3fd4d77f9

SHA1
a831287c37679cebf67d0634716dc48552d90ece

SHA256
59126fa2641a6960daaec8949e332adbd58e1195e95953e467959e28d5ffea1c

SHA512
5d530ccc426e5049abcb3929423f95477019cf177aadec99009f6e5297d082d910c736722f9dbb0ef8f0467d93a6e59c6b34ca758c3bce45fd0c126c795f378a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7f67e8266c480a84bac659c7ce3b63c6

SHA1
657942f6f4a8681443d4e1ef47b8a1fbc63c86e0

SHA256
38fcabbbdf4c288766379f4e25998bad5690c73b7224ad5797f9c3bcfc162b05

SHA512
7630db61b12c4501b44a0369996ec8a18cc0f8357d0dc5efe6a3e24ecb2ef97d79d7c76265a96d13a897bcb3f0d75b9897cf15985ddd78ddf6e79e9cbfab4b78

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
7f67e8266c480a84bac659c7ce3b63c6

SHA1
657942f6f4a8681443d4e1ef47b8a1fbc63c86e0

SHA256
38fcabbbdf4c288766379f4e25998bad5690c73b7224ad5797f9c3bcfc162b05

SHA512
7630db61b12c4501b44a0369996ec8a18cc0f8357d0dc5efe6a3e24ecb2ef97d79d7c76265a96d13a897bcb3f0d75b9897cf15985ddd78ddf6e79e9cbfab4b78

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
36007196028881da30fc3824e4934a7b

SHA1
46d9239c021f8c666d16d54a2eb3de56577db97f

SHA256
5c7c4c48f42f0dd27f919df6eeff4a862c5ebeb3cdd2f0d127fa584d84e4f918

SHA512
d81d05f93b2e3d99c6e4a7e02c1d3a9181a902e9d290c24e9458c2ed8e6c5b585b3538dec0e2cdd04ef5ab6033a4997ab2849bcf6be5c9d02d6be4a7c2646785

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
36007196028881da30fc3824e4934a7b

SHA1
46d9239c021f8c666d16d54a2eb3de56577db97f

SHA256
5c7c4c48f42f0dd27f919df6eeff4a862c5ebeb3cdd2f0d127fa584d84e4f918

SHA512
d81d05f93b2e3d99c6e4a7e02c1d3a9181a902e9d290c24e9458c2ed8e6c5b585b3538dec0e2cdd04ef5ab6033a4997ab2849bcf6be5c9d02d6be4a7c2646785

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
7f67e8266c480a84bac659c7ce3b63c6

SHA1
657942f6f4a8681443d4e1ef47b8a1fbc63c86e0

SHA256
38fcabbbdf4c288766379f4e25998bad5690c73b7224ad5797f9c3bcfc162b05

SHA512
7630db61b12c4501b44a0369996ec8a18cc0f8357d0dc5efe6a3e24ecb2ef97d79d7c76265a96d13a897bcb3f0d75b9897cf15985ddd78ddf6e79e9cbfab4b78

Download Submit
C:\Program Files\Common Files\DESIGNER\backup.exe

Filesize
72KB

MD5
7f67e8266c480a84bac659c7ce3b63c6

SHA1
657942f6f4a8681443d4e1ef47b8a1fbc63c86e0

SHA256
38fcabbbdf4c288766379f4e25998bad5690c73b7224ad5797f9c3bcfc162b05

SHA512
7630db61b12c4501b44a0369996ec8a18cc0f8357d0dc5efe6a3e24ecb2ef97d79d7c76265a96d13a897bcb3f0d75b9897cf15985ddd78ddf6e79e9cbfab4b78

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
36007196028881da30fc3824e4934a7b

SHA1
46d9239c021f8c666d16d54a2eb3de56577db97f

SHA256
5c7c4c48f42f0dd27f919df6eeff4a862c5ebeb3cdd2f0d127fa584d84e4f918

SHA512
d81d05f93b2e3d99c6e4a7e02c1d3a9181a902e9d290c24e9458c2ed8e6c5b585b3538dec0e2cdd04ef5ab6033a4997ab2849bcf6be5c9d02d6be4a7c2646785

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
36007196028881da30fc3824e4934a7b

SHA1
46d9239c021f8c666d16d54a2eb3de56577db97f

SHA256
5c7c4c48f42f0dd27f919df6eeff4a862c5ebeb3cdd2f0d127fa584d84e4f918

SHA512
d81d05f93b2e3d99c6e4a7e02c1d3a9181a902e9d290c24e9458c2ed8e6c5b585b3538dec0e2cdd04ef5ab6033a4997ab2849bcf6be5c9d02d6be4a7c2646785

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
a5b12972fc2a03a0ced3d39196f0bd74

SHA1
43e65a177a0b8dde03e7ce58f55b46bdb9f48b0c

SHA256
b9d8bd04c6f5f02ea71d9174ad07173ebb4d1ededd323388a7e8d237e1bb2d39

SHA512
fc8cb1b9cd7c983409733c821766ca558ee3a809ee02633b4848f8595ef3259dbfae7ef4ea80e5e867a5e20d4247ffa611ab053b1314a7936114185370fbf3b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

Filesize
72KB

MD5
a5b12972fc2a03a0ced3d39196f0bd74

SHA1
43e65a177a0b8dde03e7ce58f55b46bdb9f48b0c

SHA256
b9d8bd04c6f5f02ea71d9174ad07173ebb4d1ededd323388a7e8d237e1bb2d39

SHA512
fc8cb1b9cd7c983409733c821766ca558ee3a809ee02633b4848f8595ef3259dbfae7ef4ea80e5e867a5e20d4247ffa611ab053b1314a7936114185370fbf3b1

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
c9edbe411f52c78d751aeb71c75e1c50

SHA1
ecc5c5a65485159385f9701fe7d601335d8f3a06

SHA256
5a1c13bd9a005aade973c22a185af44873afdea708ccb36a196dc53bd2e50d9e

SHA512
47d64fafdc0ccdbcc7478ada62484b5632e88e5b663a20eb75014fb20dde588ced8f8c9cd378c9562de8f3dc79c6f9057cdf76b0e57f6b253250d8d0f1d11695

Download Submit
C:\Program Files\Common Files\microsoft shared\backup.exe

Filesize
72KB

MD5
c9edbe411f52c78d751aeb71c75e1c50

SHA1
ecc5c5a65485159385f9701fe7d601335d8f3a06

SHA256
5a1c13bd9a005aade973c22a185af44873afdea708ccb36a196dc53bd2e50d9e

SHA512
47d64fafdc0ccdbcc7478ada62484b5632e88e5b663a20eb75014fb20dde588ced8f8c9cd378c9562de8f3dc79c6f9057cdf76b0e57f6b253250d8d0f1d11695

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
bef3362eb93c979a17a2caac11f0a3a1

SHA1
6b30ff95f9ac799f1a2c4405556ed294c6c95494

SHA256
4d71d8254f0535ef07c9b841abdc8e2b56ce50fe8d93bb8d9dd7b9662b2ba2ee

SHA512
78571de93e5a4dd616883e6a37da2e5f687450953f81beb43ef3334e66b3652594af4e29b6297f9fdaecde2f7ba000d56b8142b017615ea22df3c965a93a5e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
bef3362eb93c979a17a2caac11f0a3a1

SHA1
6b30ff95f9ac799f1a2c4405556ed294c6c95494

SHA256
4d71d8254f0535ef07c9b841abdc8e2b56ce50fe8d93bb8d9dd7b9662b2ba2ee

SHA512
78571de93e5a4dd616883e6a37da2e5f687450953f81beb43ef3334e66b3652594af4e29b6297f9fdaecde2f7ba000d56b8142b017615ea22df3c965a93a5e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
a5b12972fc2a03a0ced3d39196f0bd74

SHA1
43e65a177a0b8dde03e7ce58f55b46bdb9f48b0c

SHA256
b9d8bd04c6f5f02ea71d9174ad07173ebb4d1ededd323388a7e8d237e1bb2d39

SHA512
fc8cb1b9cd7c983409733c821766ca558ee3a809ee02633b4848f8595ef3259dbfae7ef4ea80e5e867a5e20d4247ffa611ab053b1314a7936114185370fbf3b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\backup.exe

Filesize
72KB

MD5
a5b12972fc2a03a0ced3d39196f0bd74

SHA1
43e65a177a0b8dde03e7ce58f55b46bdb9f48b0c

SHA256
b9d8bd04c6f5f02ea71d9174ad07173ebb4d1ededd323388a7e8d237e1bb2d39

SHA512
fc8cb1b9cd7c983409733c821766ca558ee3a809ee02633b4848f8595ef3259dbfae7ef4ea80e5e867a5e20d4247ffa611ab053b1314a7936114185370fbf3b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
bef3362eb93c979a17a2caac11f0a3a1

SHA1
6b30ff95f9ac799f1a2c4405556ed294c6c95494

SHA256
4d71d8254f0535ef07c9b841abdc8e2b56ce50fe8d93bb8d9dd7b9662b2ba2ee

SHA512
78571de93e5a4dd616883e6a37da2e5f687450953f81beb43ef3334e66b3652594af4e29b6297f9fdaecde2f7ba000d56b8142b017615ea22df3c965a93a5e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
bef3362eb93c979a17a2caac11f0a3a1

SHA1
6b30ff95f9ac799f1a2c4405556ed294c6c95494

SHA256
4d71d8254f0535ef07c9b841abdc8e2b56ce50fe8d93bb8d9dd7b9662b2ba2ee

SHA512
78571de93e5a4dd616883e6a37da2e5f687450953f81beb43ef3334e66b3652594af4e29b6297f9fdaecde2f7ba000d56b8142b017615ea22df3c965a93a5e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
bef3362eb93c979a17a2caac11f0a3a1

SHA1
6b30ff95f9ac799f1a2c4405556ed294c6c95494

SHA256
4d71d8254f0535ef07c9b841abdc8e2b56ce50fe8d93bb8d9dd7b9662b2ba2ee

SHA512
78571de93e5a4dd616883e6a37da2e5f687450953f81beb43ef3334e66b3652594af4e29b6297f9fdaecde2f7ba000d56b8142b017615ea22df3c965a93a5e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
bef3362eb93c979a17a2caac11f0a3a1

SHA1
6b30ff95f9ac799f1a2c4405556ed294c6c95494

SHA256
4d71d8254f0535ef07c9b841abdc8e2b56ce50fe8d93bb8d9dd7b9662b2ba2ee

SHA512
78571de93e5a4dd616883e6a37da2e5f687450953f81beb43ef3334e66b3652594af4e29b6297f9fdaecde2f7ba000d56b8142b017615ea22df3c965a93a5e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\da-DK\System Restore.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\System Restore.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\de-DE\System Restore.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe

Filesize
72KB

MD5
be93c765f186edaa9cb760b4437140e7

SHA1
999cf8bd844ccb9de05aca03400cbe3639949190

SHA256
48f6d92f97857a0af8db41f345e8ee57c464b5786a51ba43962424187715969b

SHA512
d12cc8c8187413b59c01a8d0e37510bd16249dc6b050aa31ea89a068ddafd5890f78e1ef114553d8e899b7520d09b0cc530eae967f2aaf14ecdf6fa8b5f47292

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
9af9c5f03b449f6d922b3f198b322081

SHA1
8536c8564cd309ff46efbbff675bf78a6291225a

SHA256
64a989f09f76fb56974f503c419a6f226d310edcfc60b3bbc39df1426b6dab47

SHA512
c381a59168dacd106137435d1ba990c108f58dba3ee95f2b6935379872503c2037a70aaa05f9c3488f457172fad7414d234aeec299f12ab89ce39d425e040daa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe

Filesize
72KB

MD5
9af9c5f03b449f6d922b3f198b322081

SHA1
8536c8564cd309ff46efbbff675bf78a6291225a

SHA256
64a989f09f76fb56974f503c419a6f226d310edcfc60b3bbc39df1426b6dab47

SHA512
c381a59168dacd106137435d1ba990c108f58dba3ee95f2b6935379872503c2037a70aaa05f9c3488f457172fad7414d234aeec299f12ab89ce39d425e040daa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
9af9c5f03b449f6d922b3f198b322081

SHA1
8536c8564cd309ff46efbbff675bf78a6291225a

SHA256
64a989f09f76fb56974f503c419a6f226d310edcfc60b3bbc39df1426b6dab47

SHA512
c381a59168dacd106137435d1ba990c108f58dba3ee95f2b6935379872503c2037a70aaa05f9c3488f457172fad7414d234aeec299f12ab89ce39d425e040daa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe

Filesize
72KB

MD5
9af9c5f03b449f6d922b3f198b322081

SHA1
8536c8564cd309ff46efbbff675bf78a6291225a

SHA256
64a989f09f76fb56974f503c419a6f226d310edcfc60b3bbc39df1426b6dab47

SHA512
c381a59168dacd106137435d1ba990c108f58dba3ee95f2b6935379872503c2037a70aaa05f9c3488f457172fad7414d234aeec299f12ab89ce39d425e040daa

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe

Filesize
72KB

MD5
ed9849d2c6ac16fd4894bc9f988753d1

SHA1
a47089ae34228f7530c5baaed7d0bffc540c5092

SHA256
94a52290f5698400708c268aa4634e61a56acb45df1a8cf47930af96662c4415

SHA512
09130cfca1827a233951b6524e5cc1e3f8c0aa36e3200ca574816a0a18f7cfb135df28b9ef61ee01c6137cf81d2bcb248b4f714b7c9c89c8f81a285d628b6a4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ink\fr-FR\update.exe

Filesize
72KB

MD5
ed9849d2c6ac16fd4894bc9f988753d1

SHA1
a47089ae34228f7530c5baaed7d0bffc540c5092

SHA256
94a52290f5698400708c268aa4634e61a56acb45df1a8cf47930af96662c4415

SHA512
09130cfca1827a233951b6524e5cc1e3f8c0aa36e3200ca574816a0a18f7cfb135df28b9ef61ee01c6137cf81d2bcb248b4f714b7c9c89c8f81a285d628b6a4d

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
dec91de948843a8bd11926c3fd4d77f9

SHA1
a831287c37679cebf67d0634716dc48552d90ece

SHA256
59126fa2641a6960daaec8949e332adbd58e1195e95953e467959e28d5ffea1c

SHA512
5d530ccc426e5049abcb3929423f95477019cf177aadec99009f6e5297d082d910c736722f9dbb0ef8f0467d93a6e59c6b34ca758c3bce45fd0c126c795f378a

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
dec91de948843a8bd11926c3fd4d77f9

SHA1
a831287c37679cebf67d0634716dc48552d90ece

SHA256
59126fa2641a6960daaec8949e332adbd58e1195e95953e467959e28d5ffea1c

SHA512
5d530ccc426e5049abcb3929423f95477019cf177aadec99009f6e5297d082d910c736722f9dbb0ef8f0467d93a6e59c6b34ca758c3bce45fd0c126c795f378a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2689094358\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2689094358\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
9e61f336a1900bf6faf39ba0d777a030

SHA1
5bdae0742d103d1657ed3a9c52c07168dfa828fe

SHA256
e3aa4cfd90188d6bc7affd50a6ee22dc2542770f6756ed294e70d2bc24f20f1e

SHA512
ab2a22396df9af8880710cb3d9cbe114e844b5cf8d110f78a7dfb850d05a6576860af1f604952737c149f68369f0e7750dd160e89450a2532606f055ae6752a6

Download Submit
C:\backup.exe

Filesize
72KB

MD5
85c63cd714e4739246bdc4570223f77f

SHA1
fd7edc5ec40b755ed8b5391025892f17b260fc7f

SHA256
15957c5e7c17969a744ac88afa0dcae9c4d1f95fe7a32d4eac223856eea90f9f

SHA512
588ac04095dcdafe2733f6c9b97a475bb3547d900cc10641b2042fea94e0266796d2aaa4a2f66d01264b7dd5ae0a919b138c063b94db72c4305f8fb6db0a6ec4

Download Submit
C:\backup.exe

Filesize
72KB

MD5
85c63cd714e4739246bdc4570223f77f

SHA1
fd7edc5ec40b755ed8b5391025892f17b260fc7f

SHA256
15957c5e7c17969a744ac88afa0dcae9c4d1f95fe7a32d4eac223856eea90f9f

SHA512
588ac04095dcdafe2733f6c9b97a475bb3547d900cc10641b2042fea94e0266796d2aaa4a2f66d01264b7dd5ae0a919b138c063b94db72c4305f8fb6db0a6ec4

Download Submit
C:\odt\update.exe

Filesize
72KB

MD5
dec91de948843a8bd11926c3fd4d77f9

SHA1
a831287c37679cebf67d0634716dc48552d90ece

SHA256
59126fa2641a6960daaec8949e332adbd58e1195e95953e467959e28d5ffea1c

SHA512
5d530ccc426e5049abcb3929423f95477019cf177aadec99009f6e5297d082d910c736722f9dbb0ef8f0467d93a6e59c6b34ca758c3bce45fd0c126c795f378a

Download Submit
C:\odt\update.exe

Filesize
72KB

MD5
dec91de948843a8bd11926c3fd4d77f9

SHA1
a831287c37679cebf67d0634716dc48552d90ece

SHA256
59126fa2641a6960daaec8949e332adbd58e1195e95953e467959e28d5ffea1c

SHA512
5d530ccc426e5049abcb3929423f95477019cf177aadec99009f6e5297d082d910c736722f9dbb0ef8f0467d93a6e59c6b34ca758c3bce45fd0c126c795f378a

Download Submit
memory/8-194-0x0000000000000000-mapping.dmp

Download
memory/244-169-0x0000000000000000-mapping.dmp

Download
memory/332-387-0x0000000000000000-mapping.dmp

Download
memory/460-199-0x0000000000000000-mapping.dmp

Download
memory/600-297-0x0000000000000000-mapping.dmp

Download
memory/640-254-0x0000000000000000-mapping.dmp

Download
memory/684-381-0x0000000000000000-mapping.dmp

Download
memory/784-239-0x0000000000000000-mapping.dmp

Download
memory/896-327-0x0000000000000000-mapping.dmp

Download
memory/984-339-0x0000000000000000-mapping.dmp

Download
memory/1028-274-0x0000000000000000-mapping.dmp

Download
memory/1080-159-0x0000000000000000-mapping.dmp

Download
memory/1144-219-0x0000000000000000-mapping.dmp

Download
memory/1160-164-0x0000000000000000-mapping.dmp

Download
memory/1308-378-0x0000000000000000-mapping.dmp

Download
memory/1404-149-0x0000000000000000-mapping.dmp

Download
memory/1736-372-0x0000000000000000-mapping.dmp

Download
memory/1820-342-0x0000000000000000-mapping.dmp

Download
memory/1900-369-0x0000000000000000-mapping.dmp

Download
memory/2044-214-0x0000000000000000-mapping.dmp

Download
memory/2064-303-0x0000000000000000-mapping.dmp

Download
memory/2116-244-0x0000000000000000-mapping.dmp

Download
memory/2148-229-0x0000000000000000-mapping.dmp

Download
memory/2392-318-0x0000000000000000-mapping.dmp

Download
memory/2396-300-0x0000000000000000-mapping.dmp

Download
memory/2492-224-0x0000000000000000-mapping.dmp

Download
memory/2608-279-0x0000000000000000-mapping.dmp

Download
memory/2728-360-0x0000000000000000-mapping.dmp

Download
memory/2988-336-0x0000000000000000-mapping.dmp

Download
memory/3052-384-0x0000000000000000-mapping.dmp

Download
memory/3108-333-0x0000000000000000-mapping.dmp

Download
memory/3124-289-0x0000000000000000-mapping.dmp

Download
memory/3140-249-0x0000000000000000-mapping.dmp

Download
memory/3404-189-0x0000000000000000-mapping.dmp

Download
memory/3472-259-0x0000000000000000-mapping.dmp

Download
memory/3516-184-0x0000000000000000-mapping.dmp

Download
memory/3592-375-0x0000000000000000-mapping.dmp

Download
memory/3632-204-0x0000000000000000-mapping.dmp

Download
memory/3672-294-0x0000000000000000-mapping.dmp

Download
memory/3680-179-0x0000000000000000-mapping.dmp

Download
memory/3736-309-0x0000000000000000-mapping.dmp

Download
memory/3764-264-0x0000000000000000-mapping.dmp

Download
memory/3816-209-0x0000000000000000-mapping.dmp

Download
memory/4024-234-0x0000000000000000-mapping.dmp

Download
memory/4036-354-0x0000000000000000-mapping.dmp

Download
memory/4116-351-0x0000000000000000-mapping.dmp

Download
memory/4148-174-0x0000000000000000-mapping.dmp

Download
memory/4172-154-0x0000000000000000-mapping.dmp

Download
memory/4180-366-0x0000000000000000-mapping.dmp

Download
memory/4184-321-0x0000000000000000-mapping.dmp

Download
memory/4268-363-0x0000000000000000-mapping.dmp

Download
memory/4304-144-0x0000000000000000-mapping.dmp

Download
memory/4316-269-0x0000000000000000-mapping.dmp

Download
memory/4420-284-0x0000000000000000-mapping.dmp

Download
memory/4676-330-0x0000000000000000-mapping.dmp

Download
memory/4736-357-0x0000000000000000-mapping.dmp

Download
memory/4780-306-0x0000000000000000-mapping.dmp

Download
memory/4876-348-0x0000000000000000-mapping.dmp

Download
memory/4892-345-0x0000000000000000-mapping.dmp

Download
memory/4908-324-0x0000000000000000-mapping.dmp

Download
memory/4928-312-0x0000000000000000-mapping.dmp

Download
memory/5044-315-0x0000000000000000-mapping.dmp

Download
memory/5084-139-0x0000000000000000-mapping.dmp

Download
memory/5096-134-0x0000000000000000-mapping.dmp

Download