8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1

Analysis

max time kernel
115s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
Size

72KB
MD5

4b0cb5ead781a1a15a2e852d8132686a
SHA1

29a9c584d2e07bfc8662ec8715f485f3c782f72a
SHA256

8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1
SHA512

7afc20f5f6453f0f6df8915c7e22efb3ecfbebb6349c1c3499f9ba051e507adbc595e53bd3d42ef10d0d6a57bad8c63c36de9d44d9c7bc2d37819673a3eab29c
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd/+I97:HeT7BVwxfvqguKp+S7

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exeupdate.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1612	backup.exe
1532	backup.exe
1644	System Restore.exe
1692	backup.exe
468	backup.exe
1868	backup.exe
892	backup.exe
1792	backup.exe
1724	backup.exe
1032	backup.exe
1900	backup.exe
1348	backup.exe
824	System Restore.exe
1280	backup.exe
1016	backup.exe
2020	backup.exe
552	backup.exe
1756	update.exe
1196	data.exe
2040	backup.exe
960	backup.exe
1308	backup.exe
1460	backup.exe
684	System Restore.exe
900	backup.exe
1020	backup.exe
532	backup.exe
1564	backup.exe
1556	backup.exe
988	backup.exe
1912	backup.exe
1580	backup.exe
1388	backup.exe
1036	backup.exe
1172	backup.exe
1892	backup.exe
1128	backup.exe
984	backup.exe
604	backup.exe
304	backup.exe
888	backup.exe
2020	backup.exe
1664	backup.exe
1176	backup.exe
1504	backup.exe
2008	backup.exe
1628	backup.exe
1196	backup.exe
2040	backup.exe
960	backup.exe
1308	backup.exe
1460	backup.exe
684	backup.exe
900	backup.exe
1020	backup.exe
532	backup.exe
1564	System Restore.exe
1072	backup.exe
796	backup.exe
1904	backup.exe
2028	backup.exe
688	backup.exe
1312	backup.exe
1548	backup.exe

Loads dropped DLL 64 IoCs

Processes:

8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exe

pid	process
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1868	backup.exe
1868	backup.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1792	backup.exe
1792	backup.exe
1868	backup.exe
1868	backup.exe
1900	backup.exe
1900	backup.exe
1348	backup.exe
1348	backup.exe
1900	backup.exe
1900	backup.exe
1280	backup.exe
1280	backup.exe
1016	backup.exe
1016	backup.exe
1016	backup.exe
1016	backup.exe
552	backup.exe
1756	update.exe
1756	update.exe
1756	update.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
552	backup.exe
1556	backup.exe
1556	backup.exe
1556	backup.exe
1556	backup.exe
1556	backup.exe
1556	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe

Drops file in Windows directory 10 IoCs

Processes:

backup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\AppPatch\de-DE\update.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\data.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\update.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe

pid process

1000 8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exeupdate.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
1612	backup.exe
1532	backup.exe
1644	System Restore.exe
1692	backup.exe
468	backup.exe
1868	backup.exe
892	backup.exe
1792	backup.exe
1724	backup.exe
1032	backup.exe
1900	backup.exe
1348	backup.exe
824	System Restore.exe
1280	backup.exe
1016	backup.exe
2020	backup.exe
552	backup.exe
1756	update.exe
1196	data.exe
2040	backup.exe
960	backup.exe
1308	backup.exe
1460	backup.exe
684	System Restore.exe
900	backup.exe
1020	backup.exe
532	backup.exe
1564	backup.exe
1556	backup.exe
988	backup.exe
1912	backup.exe
1580	backup.exe
1388	backup.exe
1036	backup.exe
1172	backup.exe
1892	backup.exe
1128	backup.exe
984	backup.exe
604	backup.exe
304	backup.exe
888	backup.exe
2020	backup.exe
1176	backup.exe
1504	backup.exe
2008	backup.exe
1628	backup.exe
1196	backup.exe
2040	backup.exe
960	backup.exe
1308	backup.exe
1460	backup.exe
684	backup.exe
900	backup.exe
1020	backup.exe
532	backup.exe
1564	System Restore.exe
1072	backup.exe
796	backup.exe
1904	backup.exe
2028	backup.exe
688	backup.exe
1312	backup.exe
1548	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 1000 wrote to memory of 1612	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1612	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1612	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1612	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1532	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1532	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1532	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1532	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1644	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	System Restore.exe
PID 1000 wrote to memory of 1644	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	System Restore.exe
PID 1000 wrote to memory of 1644	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	System Restore.exe
PID 1000 wrote to memory of 1644	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	System Restore.exe
PID 1000 wrote to memory of 1692	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1692	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1692	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1692	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 468	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 468	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 468	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 468	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1612 wrote to memory of 1868	1612	backup.exe	backup.exe
PID 1612 wrote to memory of 1868	1612	backup.exe	backup.exe
PID 1612 wrote to memory of 1868	1612	backup.exe	backup.exe
PID 1612 wrote to memory of 1868	1612	backup.exe	backup.exe
PID 1000 wrote to memory of 892	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 892	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 892	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 892	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1868 wrote to memory of 1792	1868	backup.exe	backup.exe
PID 1868 wrote to memory of 1792	1868	backup.exe	backup.exe
PID 1868 wrote to memory of 1792	1868	backup.exe	backup.exe
PID 1868 wrote to memory of 1792	1868	backup.exe	backup.exe
PID 1000 wrote to memory of 1724	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1724	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1724	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1000 wrote to memory of 1724	1000	8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe	backup.exe
PID 1792 wrote to memory of 1032	1792	backup.exe	backup.exe
PID 1792 wrote to memory of 1032	1792	backup.exe	backup.exe
PID 1792 wrote to memory of 1032	1792	backup.exe	backup.exe
PID 1792 wrote to memory of 1032	1792	backup.exe	backup.exe
PID 1868 wrote to memory of 1900	1868	backup.exe	backup.exe
PID 1868 wrote to memory of 1900	1868	backup.exe	backup.exe
PID 1868 wrote to memory of 1900	1868	backup.exe	backup.exe
PID 1868 wrote to memory of 1900	1868	backup.exe	backup.exe
PID 1900 wrote to memory of 1348	1900	backup.exe	backup.exe
PID 1900 wrote to memory of 1348	1900	backup.exe	backup.exe
PID 1900 wrote to memory of 1348	1900	backup.exe	backup.exe
PID 1900 wrote to memory of 1348	1900	backup.exe	backup.exe
PID 1348 wrote to memory of 824	1348	backup.exe	System Restore.exe
PID 1348 wrote to memory of 824	1348	backup.exe	System Restore.exe
PID 1348 wrote to memory of 824	1348	backup.exe	System Restore.exe
PID 1348 wrote to memory of 824	1348	backup.exe	System Restore.exe
PID 1900 wrote to memory of 1280	1900	backup.exe	backup.exe
PID 1900 wrote to memory of 1280	1900	backup.exe	backup.exe
PID 1900 wrote to memory of 1280	1900	backup.exe	backup.exe
PID 1900 wrote to memory of 1280	1900	backup.exe	backup.exe
PID 1280 wrote to memory of 1016	1280	backup.exe	backup.exe
PID 1280 wrote to memory of 1016	1280	backup.exe	backup.exe
PID 1280 wrote to memory of 1016	1280	backup.exe	backup.exe
PID 1280 wrote to memory of 1016	1280	backup.exe	backup.exe
PID 1016 wrote to memory of 2020	1016	backup.exe	backup.exe
PID 1016 wrote to memory of 2020	1016	backup.exe	backup.exe
PID 1016 wrote to memory of 2020	1016	backup.exe	backup.exe
PID 1016 wrote to memory of 2020	1016	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe
"C:\Users\Admin\AppData\Local\Temp\8f9221d7e4a5f675c44e24f15e2316092571ad5364a555cdde193526e2d9e9b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\1827647601\backup.exe
C:\Users\Admin\AppData\Local\Temp\1827647601\backup.exe C:\Users\Admin\AppData\Local\Temp\1827647601\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files\7-Zip\Lang\System Restore.exe
"C:\Program Files\7-Zip\Lang\System Restore.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:824

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:552

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:960

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1020

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:532

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1564

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:988

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:984

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:604

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:304

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:888

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- System policy modification
PID:1664

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:960

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1460

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:532

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:796

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1312

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1548

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\update.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
PID:560

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- System policy modification
PID:884

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
PID:276

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
PID:1720

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
PID:1676

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
PID:864

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
PID:888

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
PID:1812

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1664

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
- Modifies visibility of file extensions in Explorer
PID:956

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
- Drops file in Program Files directory
PID:2008

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
- System policy modification
PID:1748

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:892

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
PID:844

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\update.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
PID:1172

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1496

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2020

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:1568

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
- System policy modification
PID:1504

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
PID:1552

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
PID:1588

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
PID:624

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:532

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
- System policy modification
PID:1892

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
PID:432

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
- Drops file in Program Files directory
PID:864

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
8⤵
PID:1628

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1488

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
PID:1504

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
PID:624

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
PID:1376

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Drops file in Program Files directory
PID:1120

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:1792

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
PID:1180

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
- System policy modification
PID:2036

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
PID:1764

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
- System policy modification
PID:1768

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1352

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:392

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
PID:1564

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:856

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:1180

C:\Program Files\Common Files\System\fr-FR\update.exe
"C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1696

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:1632

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
PID:1504

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:668

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
PID:1824

C:\Program Files\Common Files\System\msadc\en-US\update.exe
"C:\Program Files\Common Files\System\msadc\en-US\update.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
PID:892

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
PID:1996

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
PID:1736

C:\Program Files\Common Files\System\msadc\it-IT\update.exe
"C:\Program Files\Common Files\System\msadc\it-IT\update.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
PID:552

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1668

C:\Program Files\Common Files\System\Ole DB\backup.exe
"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
- Drops file in Program Files directory
PID:1568

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
PID:920

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:1176

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:1020

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
- System policy modification
PID:1692

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
PID:1920

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
PID:1312

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Drops file in Program Files directory
PID:1532

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
PID:952

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
PID:520

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
PID:336

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
PID:112

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
PID:1220

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:452

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:896

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:588

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
PID:1176

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
PID:1740

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
PID:668

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:1964

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
PID:1320

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
- System policy modification
PID:1576

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
PID:1580

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
PID:276

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
PID:1600

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
8⤵
PID:1176

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
8⤵
PID:1944

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1688

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
8⤵
PID:1872

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
8⤵
- System policy modification
PID:624

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
8⤵
PID:1220

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
8⤵
PID:532

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
8⤵
PID:1416

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
8⤵
PID:824

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
8⤵
PID:1548

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
8⤵
PID:1180

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
- Drops file in Program Files directory
PID:960

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1744

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
PID:1504

C:\Program Files\Google\Chrome\Application\89.0.4389.114\System Restore.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Drops file in Program Files directory
PID:2032

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
PID:1560

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
PID:684

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
- System policy modification
PID:988

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
PID:892

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
- Modifies visibility of file extensions in Explorer
PID:532

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
- Modifies visibility of file extensions in Explorer
PID:856

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1736

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
PID:276

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
10⤵
PID:2036

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
11⤵
PID:1600

C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
8⤵
- System policy modification
PID:1676

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
- System policy modification
PID:1224

C:\Program Files\Internet Explorer\data.exe
"C:\Program Files\Internet Explorer\data.exe" C:\Program Files\Internet Explorer\
5⤵
- Drops file in Program Files directory
PID:944

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:1756

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
- System policy modification
PID:864

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
PID:1628

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:1688

C:\Program Files\Internet Explorer\images\data.exe
"C:\Program Files\Internet Explorer\images\data.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:1040

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
- System policy modification
PID:1920

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:1068

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:1812

C:\Program Files\Java\jdk1.7.0_80\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
6⤵
- Drops file in Program Files directory
PID:1120

C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
7⤵
PID:1436

C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
7⤵
- Drops file in Program Files directory
PID:1376

C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
8⤵
PID:1548

C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
8⤵
PID:2032

C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
7⤵
PID:888

C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
8⤵
PID:1768

C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
9⤵
- System policy modification
PID:1224

C:\Program Files\Java\jdk1.7.0_80\jre\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
7⤵
- System policy modification
PID:1308

C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
8⤵
PID:1756

C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
9⤵
- System policy modification
PID:1792

C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
9⤵
PID:1320

C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
9⤵
PID:1692

C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
8⤵
- Drops file in Program Files directory
- System policy modification
PID:624

C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
9⤵
PID:1696

C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
9⤵
PID:2020

C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
9⤵
PID:892

C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
9⤵
PID:820

C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
9⤵
PID:1736

C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
9⤵
PID:1548

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
9⤵
PID:844

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
10⤵
PID:1504

C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
9⤵
- Modifies visibility of file extensions in Explorer
PID:920

C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\update.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
9⤵
PID:1176

C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
9⤵
PID:1588

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
9⤵
PID:1736

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
10⤵
PID:1180

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
10⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2020

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
11⤵
PID:1624

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
11⤵
PID:1324

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
11⤵
PID:1668

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
11⤵
PID:560

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\update.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
10⤵
PID:1388

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
10⤵
PID:1720

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
10⤵
PID:2152

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
10⤵
PID:2300

C:\Program Files\Java\jdk1.7.0_80\lib\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
7⤵
- Modifies visibility of file extensions in Explorer
PID:688

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
8⤵
- Drops file in Program Files directory
PID:1688

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
9⤵
- Modifies visibility of file extensions in Explorer
PID:668

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
10⤵
- System policy modification
PID:1388

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
10⤵
PID:1196

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
9⤵
PID:892

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
9⤵
PID:1532

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
9⤵
PID:1708

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
9⤵
PID:2168

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
8⤵
PID:1040

C:\Program Files\Java\jre7\backup.exe
"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
6⤵
PID:432

C:\Program Files\Java\jre7\bin\backup.exe
"C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:920

C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
"C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
8⤵
- System policy modification
PID:1740

C:\Program Files\Java\jre7\bin\plugin2\backup.exe
"C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
8⤵
PID:1548

C:\Program Files\Java\jre7\bin\server\backup.exe
"C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
8⤵
PID:1660

C:\Program Files\Java\jre7\lib\backup.exe
"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
7⤵
PID:1740

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
PID:820

C:\Program Files\Microsoft Games\Chess\backup.exe
"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
- System policy modification
PID:1176

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
7⤵
PID:1076

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
7⤵
PID:796

C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
7⤵
PID:1708

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
7⤵
PID:1916

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
7⤵
PID:1196

C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
7⤵
PID:920

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:1264

C:\Program Files\Microsoft Games\Hearts\backup.exe
"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
6⤵
PID:668

C:\Program Files\Microsoft Games\Mahjong\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
6⤵
PID:760

C:\Program Files\Microsoft Games\Minesweeper\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
6⤵
PID:2128

C:\Program Files\Microsoft Games\More Games\backup.exe
"C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
6⤵
PID:2284

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
- System policy modification
PID:564

C:\Program Files\Microsoft Office\Office14\backup.exe
"C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
6⤵
PID:1020

C:\Program Files\Microsoft Office\Office14\1033\backup.exe
"C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1324

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:1812

C:\Program Files\Mozilla Firefox\browser\backup.exe
"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2000

C:\Program Files\Mozilla Firefox\browser\features\backup.exe
"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
7⤵
PID:280

C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
"C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
7⤵
PID:1152

C:\Program Files\Mozilla Firefox\defaults\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
6⤵
PID:1128

C:\Program Files\Mozilla Firefox\fonts\backup.exe
"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
6⤵
PID:1772

C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
6⤵
PID:2192

C:\Program Files\Mozilla Firefox\uninstall\backup.exe
"C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
6⤵
PID:2332

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:1704

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
PID:1912

C:\Program Files\VideoLAN\backup.exe
"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
5⤵
PID:1640

C:\Program Files\Windows Defender\backup.exe
"C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
5⤵
PID:2120

C:\Program Files\Windows Journal\backup.exe
"C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
5⤵
PID:2268

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Drops file in Program Files directory
PID:972

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
PID:2040

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
PID:580

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:928

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Drops file in Program Files directory
- System policy modification
PID:1724

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
PID:1580

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
PID:1312

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
PID:1344

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
PID:1248

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:1488

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
PID:1872

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
- System policy modification
PID:1376

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
- System policy modification
PID:796

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:564

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
- Drops file in Program Files directory
PID:1344

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1720

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:956

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
PID:1740

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
10⤵
PID:684

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
- System policy modification
PID:900

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
PID:820

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
10⤵
- Modifies visibility of file extensions in Explorer
PID:1068

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
9⤵
PID:1376

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
10⤵
- System policy modification
PID:2036

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
PID:1804

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
- System policy modification
PID:280

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
PID:468

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
PID:1628

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1944

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:1740

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
PID:1484

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
PID:820

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
- Modifies visibility of file extensions in Explorer
PID:452

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1892

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:564

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
10⤵
PID:1972

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
11⤵
- Modifies visibility of file extensions in Explorer
PID:888

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
PID:1472

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
PID:1696

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
9⤵
PID:1652

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
10⤵
PID:1488

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
10⤵
- System policy modification
PID:1248

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
PID:1588

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:900

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:112

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1072

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
- System policy modification
PID:892

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
PID:532

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- Drops file in Program Files directory
PID:1280

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
- System policy modification
PID:856

C:\Program Files (x86)\Common Files\Adobe\Help\data.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
PID:1892

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
- System policy modification
PID:1668

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
PID:276

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
10⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1972

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
- Modifies visibility of file extensions in Explorer
PID:564

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
- System policy modification
PID:1744

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1924

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
8⤵
PID:1724

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1488

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
- Drops file in Program Files directory
PID:1824

C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
7⤵
PID:1036

C:\Program Files (x86)\Common Files\microsoft shared\DW\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DW\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
7⤵
PID:1128

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
7⤵
PID:1996

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
8⤵
PID:280

C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
7⤵
PID:856

C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
7⤵
PID:2036

C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
7⤵
- System policy modification
PID:896

C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1764

C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
8⤵
- System policy modification
PID:1224

C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
8⤵
PID:1924

C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
8⤵
PID:856

C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
8⤵
- System policy modification
PID:1768

C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
8⤵
PID:1484

C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
8⤵
PID:1504

C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
8⤵
PID:1072

C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
8⤵
PID:1716

C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
8⤵
PID:2044

C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
8⤵
PID:1600

C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
8⤵
PID:1816

C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
7⤵
- System policy modification
PID:1344

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
8⤵
PID:560

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2036

C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
8⤵
PID:1664

C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
8⤵
PID:828

C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
8⤵
PID:280

C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
PID:2184

C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
8⤵
PID:2324

C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
7⤵
PID:1892

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
7⤵
PID:1040

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
8⤵
PID:624

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
PID:2216

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
7⤵
PID:584

C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1716

C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
7⤵
PID:2200

C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
7⤵
PID:2316

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
- Modifies visibility of file extensions in Explorer
PID:280

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
6⤵
PID:960

C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
7⤵
PID:1724

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
- Drops file in Program Files directory
PID:276

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
PID:956

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
7⤵
PID:1036

C:\Program Files (x86)\Common Files\System\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
7⤵
PID:1556

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
7⤵
PID:2160

C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
7⤵
PID:2308

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:580

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
- System policy modification
PID:1756

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1772

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
- Modifies visibility of file extensions in Explorer
PID:468

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
PID:1248

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
- Drops file in Program Files directory
PID:1676

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
PID:1224

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:1220

C:\Program Files (x86)\Internet Explorer\es-ES\System Restore.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\System Restore.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
6⤵
PID:1260

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
6⤵
PID:1652

C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\System Restore.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
6⤵
PID:2040

C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
6⤵
PID:1020

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
6⤵
PID:2136

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:2008

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
6⤵
PID:844

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
7⤵
PID:1376

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\data.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
8⤵
PID:1224

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
8⤵
PID:1220

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:624

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
5⤵
PID:1632

C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
"C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
5⤵
PID:468

C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
5⤵
PID:2176

C:\Program Files (x86)\Microsoft Visual Studio 8\System Restore.exe
"C:\Program Files (x86)\Microsoft Visual Studio 8\System Restore.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
5⤵
PID:2276

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
PID:268

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
PID:576

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
PID:580

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:1556

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:2000

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:668

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:552

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:1668

C:\Users\Admin\Music\data.exe
C:\Users\Admin\Music\data.exe C:\Users\Admin\Music\
6⤵
- Modifies visibility of file extensions in Explorer
PID:956

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:828

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
PID:1908

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:1904

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1804

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:1696

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:1912

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:2020

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
- System policy modification
PID:1460

C:\Users\Public\Music\Sample Music\backup.exe
"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
7⤵
PID:1172

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:1668

C:\Users\Public\Pictures\Sample Pictures\backup.exe
"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
7⤵
- System policy modification
PID:1872

C:\Users\Public\Recorded TV\backup.exe
"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1600

C:\Users\Public\Recorded TV\Sample Media\backup.exe
"C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1532

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
PID:304

C:\Users\Public\Videos\Sample Videos\backup.exe
"C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
7⤵
PID:1460

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Drops file in Windows directory
- System policy modification
PID:884

C:\Windows\addins\data.exe
C:\Windows\addins\data.exe C:\Windows\addins\
5⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Windows\AppCompat\backup.exe
C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
5⤵
- System policy modification
PID:268

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
- Drops file in Windows directory
PID:1564

C:\Windows\AppPatch\AppPatch64\backup.exe
C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
6⤵
PID:452

C:\Windows\AppPatch\Custom\backup.exe
C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
6⤵
PID:1496

C:\Windows\AppPatch\de-DE\update.exe
C:\Windows\AppPatch\de-DE\update.exe C:\Windows\AppPatch\de-DE\
6⤵
PID:1624

C:\Windows\AppPatch\en-US\backup.exe
C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
6⤵
PID:2144

C:\Windows\AppPatch\es-ES\backup.exe
C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
6⤵
PID:2292

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
PID:1068

C:\Windows\Branding\update.exe
C:\Windows\Branding\update.exe C:\Windows\Branding\
5⤵
PID:2032

C:\Windows\CSC\backup.exe
C:\Windows\CSC\backup.exe C:\Windows\CSC\
5⤵
PID:2080

C:\Windows\Cursors\backup.exe
C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
5⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
"C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:468

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
18ea4237da84243f943feee1fb0a6287

SHA1
0deffa82c6f22ab875d8af557d7fc1a83722b35a

SHA256
384fcc7b997e7ff98ccfd32020dcbf85a576d9eba9fc01221ed7d380fe55cc9c

SHA512
f74d09f66aa883cb66e920785029c7fb8a1bcbef96f7861b0f66b5ec628ecf19a17658e6e166aca1d4b7f5ac305fb88cf7e7396c8cfea50a3444f46df88dd3ff

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
C:\Program Files\7-Zip\Lang\System Restore.exe
Filesize
72KB

MD5
2567302f7231047ce6a3d3e3d7a9378b

SHA1
0d7514d7dc34ac87104c960229ba2e483dee4e36

SHA256
c2c9524e90ab1e8be428157846373af0f2892c637b3a5b1913ad04a9d4a6f3f8

SHA512
f8be6a7c295a805bbe827847e2ac5e29fd00c091711942270aa8582896d0ebaca175ac7b34de515cee75a28e8b0192f376175b10f15521653440686ed85384aa

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
18ea4237da84243f943feee1fb0a6287

SHA1
0deffa82c6f22ab875d8af557d7fc1a83722b35a

SHA256
384fcc7b997e7ff98ccfd32020dcbf85a576d9eba9fc01221ed7d380fe55cc9c

SHA512
f74d09f66aa883cb66e920785029c7fb8a1bcbef96f7861b0f66b5ec628ecf19a17658e6e166aca1d4b7f5ac305fb88cf7e7396c8cfea50a3444f46df88dd3ff

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
18ea4237da84243f943feee1fb0a6287

SHA1
0deffa82c6f22ab875d8af557d7fc1a83722b35a

SHA256
384fcc7b997e7ff98ccfd32020dcbf85a576d9eba9fc01221ed7d380fe55cc9c

SHA512
f74d09f66aa883cb66e920785029c7fb8a1bcbef96f7861b0f66b5ec628ecf19a17658e6e166aca1d4b7f5ac305fb88cf7e7396c8cfea50a3444f46df88dd3ff

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
52404b39271aad9a7c465c39ad879c83

SHA1
8166eb85c5e370c9a4a65aa750d9ddb66fff5cc7

SHA256
435d5400c44de667ca932544337d4805e3be4c4f0770fdbd745fcb9ac9ff2a33

SHA512
a2c99a32ff93408a0c7b474ea970fd9b6ea302b8b5272b7c4b085b1853deabe829da3b8bb826641e4efc4527c6c4f20524beb4714dfbe529beb80b3016fd9c00

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
ed5b06b1fd1d5a46f7e49ed62d50bbb4

SHA1
981ee6cd50a496cff61cd981410a4602e1279952

SHA256
0ef8c769afeded15e49cfe87722ae3bc21507fc7976bfa2154e89618529e7af6

SHA512
01aeba03ccbb8fe56c765d60e6257650f25babb67a5551685180768e2bf732d0c3066d6265826eec042c68071c68431d20acdac37a76e3fcb954bbdf6d41658c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
ed5b06b1fd1d5a46f7e49ed62d50bbb4

SHA1
981ee6cd50a496cff61cd981410a4602e1279952

SHA256
0ef8c769afeded15e49cfe87722ae3bc21507fc7976bfa2154e89618529e7af6

SHA512
01aeba03ccbb8fe56c765d60e6257650f25babb67a5551685180768e2bf732d0c3066d6265826eec042c68071c68431d20acdac37a76e3fcb954bbdf6d41658c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
Filesize
72KB

MD5
55c8cc7311b4cb7e7c136b4558d27c3a

SHA1
e3f76b88497cdba09d4202c179883c836396c720

SHA256
c0f33e1c8f9c56bc7308d2129b1e0f4ab16e3909ea65e84852662128f257b7dc

SHA512
0ce1608333d91508f625a680df89c44b59de316015154feeda24bdfbbad28bf50d9d16c564e1e4a5b86f609c1eedb6a37ebf62738c7859765518272ca04d5bcc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
Filesize
72KB

MD5
55c8cc7311b4cb7e7c136b4558d27c3a

SHA1
e3f76b88497cdba09d4202c179883c836396c720

SHA256
c0f33e1c8f9c56bc7308d2129b1e0f4ab16e3909ea65e84852662128f257b7dc

SHA512
0ce1608333d91508f625a680df89c44b59de316015154feeda24bdfbbad28bf50d9d16c564e1e4a5b86f609c1eedb6a37ebf62738c7859765518272ca04d5bcc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
52404b39271aad9a7c465c39ad879c83

SHA1
8166eb85c5e370c9a4a65aa750d9ddb66fff5cc7

SHA256
435d5400c44de667ca932544337d4805e3be4c4f0770fdbd745fcb9ac9ff2a33

SHA512
a2c99a32ff93408a0c7b474ea970fd9b6ea302b8b5272b7c4b085b1853deabe829da3b8bb826641e4efc4527c6c4f20524beb4714dfbe529beb80b3016fd9c00

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
52404b39271aad9a7c465c39ad879c83

SHA1
8166eb85c5e370c9a4a65aa750d9ddb66fff5cc7

SHA256
435d5400c44de667ca932544337d4805e3be4c4f0770fdbd745fcb9ac9ff2a33

SHA512
a2c99a32ff93408a0c7b474ea970fd9b6ea302b8b5272b7c4b085b1853deabe829da3b8bb826641e4efc4527c6c4f20524beb4714dfbe529beb80b3016fd9c00

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
33be3e453acdb917c53f62b8c9395b3c

SHA1
f6a826a35e36547bee5d7fcd19144e72d01b5c33

SHA256
4595ae759f046f3739fe1a601f18d575ae0307b1450622a9659d6dea1268c810

SHA512
9bf12091e9e9f5d71f37f6e4ccd4a0a1d36c8f73b6808a2629efa6e335dedaa63c543b2d7374fd7f539105b4753085cbb98ac4328d5108e16589cf8ab925673e

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
33be3e453acdb917c53f62b8c9395b3c

SHA1
f6a826a35e36547bee5d7fcd19144e72d01b5c33

SHA256
4595ae759f046f3739fe1a601f18d575ae0307b1450622a9659d6dea1268c810

SHA512
9bf12091e9e9f5d71f37f6e4ccd4a0a1d36c8f73b6808a2629efa6e335dedaa63c543b2d7374fd7f539105b4753085cbb98ac4328d5108e16589cf8ab925673e

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827647601\backup.exe
Filesize
72KB

MD5
cac21d3d432af310031b98635184bf82

SHA1
9922eadfb33aff33a4c8b6e37e3206f9a47f0e72

SHA256
66dcbb81f64239cea92d85d20939b26a53edc1b16c303967fd9f863703c8b005

SHA512
37816df1540f96b93d3b09dd443a793e30da2b14f97c618deaeaa78c6bda669ffd576e4a858fe01d44057ce982e5598607b8a2b52ddcaea339131754c6605d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1827647601\backup.exe
Filesize
72KB

MD5
cac21d3d432af310031b98635184bf82

SHA1
9922eadfb33aff33a4c8b6e37e3206f9a47f0e72

SHA256
66dcbb81f64239cea92d85d20939b26a53edc1b16c303967fd9f863703c8b005

SHA512
37816df1540f96b93d3b09dd443a793e30da2b14f97c618deaeaa78c6bda669ffd576e4a858fe01d44057ce982e5598607b8a2b52ddcaea339131754c6605d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
C:\backup.exe
Filesize
72KB

MD5
6e8a930b64c896eeff059f4d1e4b87da

SHA1
efb5b892efc002429f0d62d701c5a8345f58bfef

SHA256
f1438693b2f277f765ea42666f76ba775cebeb5ea0dcd99f0472bf586366d84b

SHA512
e89750bde1759d93b691e5ae663fc829d14c99e2f29a55901858264a3e70d53f114ff20e1a398649e801feb8027f7fb39cd765324d4836aed0c96afd18618c66

Download Submit
C:\backup.exe
Filesize
72KB

MD5
6e8a930b64c896eeff059f4d1e4b87da

SHA1
efb5b892efc002429f0d62d701c5a8345f58bfef

SHA256
f1438693b2f277f765ea42666f76ba775cebeb5ea0dcd99f0472bf586366d84b

SHA512
e89750bde1759d93b691e5ae663fc829d14c99e2f29a55901858264a3e70d53f114ff20e1a398649e801feb8027f7fb39cd765324d4836aed0c96afd18618c66

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
18ea4237da84243f943feee1fb0a6287

SHA1
0deffa82c6f22ab875d8af557d7fc1a83722b35a

SHA256
384fcc7b997e7ff98ccfd32020dcbf85a576d9eba9fc01221ed7d380fe55cc9c

SHA512
f74d09f66aa883cb66e920785029c7fb8a1bcbef96f7861b0f66b5ec628ecf19a17658e6e166aca1d4b7f5ac305fb88cf7e7396c8cfea50a3444f46df88dd3ff

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
18ea4237da84243f943feee1fb0a6287

SHA1
0deffa82c6f22ab875d8af557d7fc1a83722b35a

SHA256
384fcc7b997e7ff98ccfd32020dcbf85a576d9eba9fc01221ed7d380fe55cc9c

SHA512
f74d09f66aa883cb66e920785029c7fb8a1bcbef96f7861b0f66b5ec628ecf19a17658e6e166aca1d4b7f5ac305fb88cf7e7396c8cfea50a3444f46df88dd3ff

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
\Program Files\7-Zip\Lang\System Restore.exe
Filesize
72KB

MD5
2567302f7231047ce6a3d3e3d7a9378b

SHA1
0d7514d7dc34ac87104c960229ba2e483dee4e36

SHA256
c2c9524e90ab1e8be428157846373af0f2892c637b3a5b1913ad04a9d4a6f3f8

SHA512
f8be6a7c295a805bbe827847e2ac5e29fd00c091711942270aa8582896d0ebaca175ac7b34de515cee75a28e8b0192f376175b10f15521653440686ed85384aa

Download Submit
\Program Files\7-Zip\Lang\System Restore.exe
Filesize
72KB

MD5
2567302f7231047ce6a3d3e3d7a9378b

SHA1
0d7514d7dc34ac87104c960229ba2e483dee4e36

SHA256
c2c9524e90ab1e8be428157846373af0f2892c637b3a5b1913ad04a9d4a6f3f8

SHA512
f8be6a7c295a805bbe827847e2ac5e29fd00c091711942270aa8582896d0ebaca175ac7b34de515cee75a28e8b0192f376175b10f15521653440686ed85384aa

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
18ea4237da84243f943feee1fb0a6287

SHA1
0deffa82c6f22ab875d8af557d7fc1a83722b35a

SHA256
384fcc7b997e7ff98ccfd32020dcbf85a576d9eba9fc01221ed7d380fe55cc9c

SHA512
f74d09f66aa883cb66e920785029c7fb8a1bcbef96f7861b0f66b5ec628ecf19a17658e6e166aca1d4b7f5ac305fb88cf7e7396c8cfea50a3444f46df88dd3ff

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
18ea4237da84243f943feee1fb0a6287

SHA1
0deffa82c6f22ab875d8af557d7fc1a83722b35a

SHA256
384fcc7b997e7ff98ccfd32020dcbf85a576d9eba9fc01221ed7d380fe55cc9c

SHA512
f74d09f66aa883cb66e920785029c7fb8a1bcbef96f7861b0f66b5ec628ecf19a17658e6e166aca1d4b7f5ac305fb88cf7e7396c8cfea50a3444f46df88dd3ff

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
52404b39271aad9a7c465c39ad879c83

SHA1
8166eb85c5e370c9a4a65aa750d9ddb66fff5cc7

SHA256
435d5400c44de667ca932544337d4805e3be4c4f0770fdbd745fcb9ac9ff2a33

SHA512
a2c99a32ff93408a0c7b474ea970fd9b6ea302b8b5272b7c4b085b1853deabe829da3b8bb826641e4efc4527c6c4f20524beb4714dfbe529beb80b3016fd9c00

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
52404b39271aad9a7c465c39ad879c83

SHA1
8166eb85c5e370c9a4a65aa750d9ddb66fff5cc7

SHA256
435d5400c44de667ca932544337d4805e3be4c4f0770fdbd745fcb9ac9ff2a33

SHA512
a2c99a32ff93408a0c7b474ea970fd9b6ea302b8b5272b7c4b085b1853deabe829da3b8bb826641e4efc4527c6c4f20524beb4714dfbe529beb80b3016fd9c00

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
ed5b06b1fd1d5a46f7e49ed62d50bbb4

SHA1
981ee6cd50a496cff61cd981410a4602e1279952

SHA256
0ef8c769afeded15e49cfe87722ae3bc21507fc7976bfa2154e89618529e7af6

SHA512
01aeba03ccbb8fe56c765d60e6257650f25babb67a5551685180768e2bf732d0c3066d6265826eec042c68071c68431d20acdac37a76e3fcb954bbdf6d41658c

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
ed5b06b1fd1d5a46f7e49ed62d50bbb4

SHA1
981ee6cd50a496cff61cd981410a4602e1279952

SHA256
0ef8c769afeded15e49cfe87722ae3bc21507fc7976bfa2154e89618529e7af6

SHA512
01aeba03ccbb8fe56c765d60e6257650f25babb67a5551685180768e2bf732d0c3066d6265826eec042c68071c68431d20acdac37a76e3fcb954bbdf6d41658c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
Filesize
72KB

MD5
55c8cc7311b4cb7e7c136b4558d27c3a

SHA1
e3f76b88497cdba09d4202c179883c836396c720

SHA256
c0f33e1c8f9c56bc7308d2129b1e0f4ab16e3909ea65e84852662128f257b7dc

SHA512
0ce1608333d91508f625a680df89c44b59de316015154feeda24bdfbbad28bf50d9d16c564e1e4a5b86f609c1eedb6a37ebf62738c7859765518272ca04d5bcc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
Filesize
72KB

MD5
55c8cc7311b4cb7e7c136b4558d27c3a

SHA1
e3f76b88497cdba09d4202c179883c836396c720

SHA256
c0f33e1c8f9c56bc7308d2129b1e0f4ab16e3909ea65e84852662128f257b7dc

SHA512
0ce1608333d91508f625a680df89c44b59de316015154feeda24bdfbbad28bf50d9d16c564e1e4a5b86f609c1eedb6a37ebf62738c7859765518272ca04d5bcc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
Filesize
72KB

MD5
55c8cc7311b4cb7e7c136b4558d27c3a

SHA1
e3f76b88497cdba09d4202c179883c836396c720

SHA256
c0f33e1c8f9c56bc7308d2129b1e0f4ab16e3909ea65e84852662128f257b7dc

SHA512
0ce1608333d91508f625a680df89c44b59de316015154feeda24bdfbbad28bf50d9d16c564e1e4a5b86f609c1eedb6a37ebf62738c7859765518272ca04d5bcc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\update.exe
Filesize
72KB

MD5
55c8cc7311b4cb7e7c136b4558d27c3a

SHA1
e3f76b88497cdba09d4202c179883c836396c720

SHA256
c0f33e1c8f9c56bc7308d2129b1e0f4ab16e3909ea65e84852662128f257b7dc

SHA512
0ce1608333d91508f625a680df89c44b59de316015154feeda24bdfbbad28bf50d9d16c564e1e4a5b86f609c1eedb6a37ebf62738c7859765518272ca04d5bcc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
52404b39271aad9a7c465c39ad879c83

SHA1
8166eb85c5e370c9a4a65aa750d9ddb66fff5cc7

SHA256
435d5400c44de667ca932544337d4805e3be4c4f0770fdbd745fcb9ac9ff2a33

SHA512
a2c99a32ff93408a0c7b474ea970fd9b6ea302b8b5272b7c4b085b1853deabe829da3b8bb826641e4efc4527c6c4f20524beb4714dfbe529beb80b3016fd9c00

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
52404b39271aad9a7c465c39ad879c83

SHA1
8166eb85c5e370c9a4a65aa750d9ddb66fff5cc7

SHA256
435d5400c44de667ca932544337d4805e3be4c4f0770fdbd745fcb9ac9ff2a33

SHA512
a2c99a32ff93408a0c7b474ea970fd9b6ea302b8b5272b7c4b085b1853deabe829da3b8bb826641e4efc4527c6c4f20524beb4714dfbe529beb80b3016fd9c00

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
Filesize
72KB

MD5
ac390b438f3729e6ceb14d78f9b21f1c

SHA1
61d37d99a9554b6105b3c5bbef1fe5296df38670

SHA256
3ad8948d91fb6e0473349b7a3b71bdf7a5233f86093a07d8cbfa70d9b19c4e91

SHA512
ffafb94005046dd39bf054bc317b1f03636a9b017102c6c0250f575260d1ddd6515f60873ebfaadc31328efca3ea7dddf583907428084426a222ac235357f702

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
33be3e453acdb917c53f62b8c9395b3c

SHA1
f6a826a35e36547bee5d7fcd19144e72d01b5c33

SHA256
4595ae759f046f3739fe1a601f18d575ae0307b1450622a9659d6dea1268c810

SHA512
9bf12091e9e9f5d71f37f6e4ccd4a0a1d36c8f73b6808a2629efa6e335dedaa63c543b2d7374fd7f539105b4753085cbb98ac4328d5108e16589cf8ab925673e

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
33be3e453acdb917c53f62b8c9395b3c

SHA1
f6a826a35e36547bee5d7fcd19144e72d01b5c33

SHA256
4595ae759f046f3739fe1a601f18d575ae0307b1450622a9659d6dea1268c810

SHA512
9bf12091e9e9f5d71f37f6e4ccd4a0a1d36c8f73b6808a2629efa6e335dedaa63c543b2d7374fd7f539105b4753085cbb98ac4328d5108e16589cf8ab925673e

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
d11efadc9d9d5a229705cd34bc8bf6c6

SHA1
0390d650c10ad2f84d56d7cbf1ca4b3d980a3070

SHA256
29a88c8ae08971de0d9a3ac8710c421d41215e5e760ad2c2cdd823f274fc26df

SHA512
66032195e4e86d99bef6e057262e17ef467c807330a85349463b8c256f9a04981ee9ce37892888919da1b3385c273d4e19550cfb96c063b56a59c5a07e82fc1f

Download Submit
\Users\Admin\AppData\Local\Temp\1827647601\backup.exe
Filesize
72KB

MD5
cac21d3d432af310031b98635184bf82

SHA1
9922eadfb33aff33a4c8b6e37e3206f9a47f0e72

SHA256
66dcbb81f64239cea92d85d20939b26a53edc1b16c303967fd9f863703c8b005

SHA512
37816df1540f96b93d3b09dd443a793e30da2b14f97c618deaeaa78c6bda669ffd576e4a858fe01d44057ce982e5598607b8a2b52ddcaea339131754c6605d95

Download Submit
\Users\Admin\AppData\Local\Temp\1827647601\backup.exe
Filesize
72KB

MD5
cac21d3d432af310031b98635184bf82

SHA1
9922eadfb33aff33a4c8b6e37e3206f9a47f0e72

SHA256
66dcbb81f64239cea92d85d20939b26a53edc1b16c303967fd9f863703c8b005

SHA512
37816df1540f96b93d3b09dd443a793e30da2b14f97c618deaeaa78c6bda669ffd576e4a858fe01d44057ce982e5598607b8a2b52ddcaea339131754c6605d95

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
56457aecdb3423a41d22d64c997554c9

SHA1
5a70a96c993d0fe4116f20c259b97c4d33cc4674

SHA256
56eb12ca1403298c433256fc07dc5ef404a608559434e8381bee4d79df69dcc0

SHA512
358bd2d99853fdfe8733c017c9d1925063f3834b77ce214657519a93bbfd695d45d971eb6eef1eb4d894fa5d9b75a02537358594930de304c5d5ea6f028f985e

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
bac358cf7b7540fa85849d947643da00

SHA1
0a73bb926d6075a4439702e79adb7b13bc227b92

SHA256
d900eb13de55c57317c2162471eaeabae2a0b8da1f07b222917824c340b32844

SHA512
404fcda27f361a4c70357e3950efcef79b95d04e555338692083cd1d805fb7fcda0fefc094a78d44bc20a09a2661402b2af624b057949ef701d4cd5b99200625

Download Submit
memory/304-240-0x0000000000000000-mapping.dmp

Download
memory/468-83-0x0000000000000000-mapping.dmp

Download
memory/532-201-0x0000000000000000-mapping.dmp

Download
memory/532-286-0x0000000000000000-mapping.dmp

Download
memory/552-160-0x0000000000000000-mapping.dmp

Download
memory/604-237-0x0000000000000000-mapping.dmp

Download
memory/684-192-0x0000000000000000-mapping.dmp

Download
memory/684-277-0x0000000000000000-mapping.dmp

Download
memory/688-304-0x0000000000000000-mapping.dmp

Download
memory/796-295-0x0000000000000000-mapping.dmp

Download
memory/824-134-0x0000000000000000-mapping.dmp

Download
memory/888-243-0x0000000000000000-mapping.dmp

Download
memory/892-93-0x0000000000000000-mapping.dmp

Download
memory/900-195-0x0000000000000000-mapping.dmp

Download
memory/900-280-0x0000000000000000-mapping.dmp

Download
memory/960-183-0x0000000000000000-mapping.dmp

Download
memory/960-268-0x0000000000000000-mapping.dmp

Download
memory/984-234-0x0000000000000000-mapping.dmp

Download
memory/988-210-0x0000000000000000-mapping.dmp

Download
memory/1000-175-0x00000000742E1000-0x00000000742E3000-memory.dmp

Filesize
8KB

Download
memory/1000-117-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1016-147-0x0000000000000000-mapping.dmp

Download
memory/1020-198-0x0000000000000000-mapping.dmp

Download
memory/1020-283-0x0000000000000000-mapping.dmp

Download
memory/1032-113-0x0000000000000000-mapping.dmp

Download
memory/1036-222-0x0000000000000000-mapping.dmp

Download
memory/1072-292-0x0000000000000000-mapping.dmp

Download
memory/1128-231-0x0000000000000000-mapping.dmp

Download
memory/1172-225-0x0000000000000000-mapping.dmp

Download
memory/1176-250-0x0000000000000000-mapping.dmp

Download
memory/1196-177-0x0000000000000000-mapping.dmp

Download
memory/1196-262-0x0000000000000000-mapping.dmp

Download
memory/1280-140-0x0000000000000000-mapping.dmp

Download
memory/1308-271-0x0000000000000000-mapping.dmp

Download
memory/1308-186-0x0000000000000000-mapping.dmp

Download
memory/1312-307-0x0000000000000000-mapping.dmp

Download
memory/1348-127-0x0000000000000000-mapping.dmp

Download
memory/1388-219-0x0000000000000000-mapping.dmp

Download
memory/1460-274-0x0000000000000000-mapping.dmp

Download
memory/1460-189-0x0000000000000000-mapping.dmp

Download
memory/1504-253-0x0000000000000000-mapping.dmp

Download
memory/1532-64-0x0000000000000000-mapping.dmp

Download
memory/1548-310-0x0000000000000000-mapping.dmp

Download
memory/1556-207-0x0000000000000000-mapping.dmp

Download
memory/1564-289-0x0000000000000000-mapping.dmp

Download
memory/1564-204-0x0000000000000000-mapping.dmp

Download
memory/1580-216-0x0000000000000000-mapping.dmp

Download
memory/1612-58-0x0000000000000000-mapping.dmp

Download
memory/1628-259-0x0000000000000000-mapping.dmp

Download
memory/1644-70-0x0000000000000000-mapping.dmp

Download
memory/1664-249-0x0000000000000000-mapping.dmp

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1724-107-0x0000000000000000-mapping.dmp

Download
memory/1756-166-0x0000000000000000-mapping.dmp

Download
memory/1792-100-0x0000000000000000-mapping.dmp

Download
memory/1868-87-0x0000000000000000-mapping.dmp

Download
memory/1892-228-0x0000000000000000-mapping.dmp

Download
memory/1900-120-0x0000000000000000-mapping.dmp

Download
memory/1904-298-0x0000000000000000-mapping.dmp

Download
memory/1912-213-0x0000000000000000-mapping.dmp

Download
memory/2008-256-0x0000000000000000-mapping.dmp

Download
memory/2020-246-0x0000000000000000-mapping.dmp

Download
memory/2020-154-0x0000000000000000-mapping.dmp

Download
memory/2028-301-0x0000000000000000-mapping.dmp

Download
memory/2040-265-0x0000000000000000-mapping.dmp

Download
memory/2040-180-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads