1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
Size

72KB
MD5

09187a6c41dcbbf3037b3371ae15a4a6
SHA1

c81de634d142e1c1ff25c4bf0605e43b7ea53943
SHA256

1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7
SHA512

18f0478926f18936a028d8fd1176d6e34937eb16e0b355e79174f8746ce2253b055ac30bbecfea0cb4cc0c27cdcd3f85441bbf4f3f0e4b678f1720434d72bf8a
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2C:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrfG

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exedata.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exeupdate.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exedata.exeupdate.exebackup.exeupdate.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1776	backup.exe
1952	backup.exe
940	backup.exe
1192	backup.exe
1408	backup.exe
880	backup.exe
1736	backup.exe
1868	System Restore.exe
1576	backup.exe
536	backup.exe
1988	backup.exe
1968	backup.exe
468	backup.exe
1680	backup.exe
856	backup.exe
1424	backup.exe
924	backup.exe
1508	backup.exe
1340	backup.exe
2040	backup.exe
812	backup.exe
1160	backup.exe
2024	backup.exe
1708	backup.exe
1472	backup.exe
1740	backup.exe
1736	backup.exe
1720	backup.exe
1236	backup.exe
1036	backup.exe
916	backup.exe
1404	backup.exe
752	backup.exe
1552	backup.exe
2008	backup.exe
1888	backup.exe
1928	backup.exe
1108	backup.exe
468	System Restore.exe
1300	backup.exe
1568	data.exe
732	update.exe
1424	backup.exe
1560	update.exe
1676	update.exe
384	backup.exe
1952	backup.exe
1376	backup.exe
2040	backup.exe
812	backup.exe
1160	backup.exe
2024	backup.exe
1708	backup.exe
1472	backup.exe
1740	backup.exe
1736	backup.exe
1720	backup.exe
1480	backup.exe
1468	backup.exe
1996	backup.exe
1116	backup.exe
1964	backup.exe
1696	backup.exe
748	backup.exe

Loads dropped DLL 64 IoCs

Processes:

1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1868	System Restore.exe
1868	System Restore.exe
1576	backup.exe
1576	backup.exe
1868	System Restore.exe
1868	System Restore.exe
1988	backup.exe
1988	backup.exe
1968	backup.exe
1968	backup.exe
1988	backup.exe
1988	backup.exe
1680	backup.exe
1680	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
856	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
924	backup.exe
1236	backup.exe
1236	backup.exe
1236	backup.exe
1236	backup.exe
1236	backup.exe
1236	backup.exe
1236	backup.exe
1236	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe

pid process

1092 1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exedata.exeupdate.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
1776	backup.exe
1952	backup.exe
940	backup.exe
1192	backup.exe
1408	backup.exe
880	backup.exe
1736	backup.exe
1868	System Restore.exe
1576	backup.exe
536	backup.exe
1988	backup.exe
1968	backup.exe
468	backup.exe
1680	backup.exe
856	backup.exe
1424	backup.exe
924	backup.exe
1508	backup.exe
1340	backup.exe
2040	backup.exe
812	backup.exe
1160	backup.exe
2024	backup.exe
1708	backup.exe
1472	backup.exe
1740	backup.exe
1736	backup.exe
1720	backup.exe
1236	backup.exe
1036	backup.exe
916	backup.exe
1404	backup.exe
752	backup.exe
1552	backup.exe
2008	backup.exe
1888	backup.exe
1928	backup.exe
1108	backup.exe
468	System Restore.exe
1300	backup.exe
1568	data.exe
732	update.exe
1424	backup.exe
1676	update.exe
384	backup.exe
1952	backup.exe
1376	backup.exe
2040	backup.exe
812	backup.exe
1160	backup.exe
2024	backup.exe
1708	backup.exe
1472	backup.exe
1740	backup.exe
1736	backup.exe
1720	backup.exe
1480	backup.exe
1468	backup.exe
1996	backup.exe
1116	backup.exe
1964	backup.exe
1696	backup.exe
748	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 1092 wrote to memory of 1776	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1776	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1776	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1776	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1952	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1952	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1952	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1952	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 940	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 940	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 940	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 940	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1192	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1192	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1192	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1192	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1408	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1408	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1408	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1408	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 880	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 880	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 880	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 880	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1736	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1736	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1736	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1092 wrote to memory of 1736	1092	1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe	backup.exe
PID 1776 wrote to memory of 1868	1776	backup.exe	System Restore.exe
PID 1776 wrote to memory of 1868	1776	backup.exe	System Restore.exe
PID 1776 wrote to memory of 1868	1776	backup.exe	System Restore.exe
PID 1776 wrote to memory of 1868	1776	backup.exe	System Restore.exe
PID 1868 wrote to memory of 1576	1868	System Restore.exe	backup.exe
PID 1868 wrote to memory of 1576	1868	System Restore.exe	backup.exe
PID 1868 wrote to memory of 1576	1868	System Restore.exe	backup.exe
PID 1868 wrote to memory of 1576	1868	System Restore.exe	backup.exe
PID 1576 wrote to memory of 536	1576	backup.exe	backup.exe
PID 1576 wrote to memory of 536	1576	backup.exe	backup.exe
PID 1576 wrote to memory of 536	1576	backup.exe	backup.exe
PID 1576 wrote to memory of 536	1576	backup.exe	backup.exe
PID 1868 wrote to memory of 1988	1868	System Restore.exe	backup.exe
PID 1868 wrote to memory of 1988	1868	System Restore.exe	backup.exe
PID 1868 wrote to memory of 1988	1868	System Restore.exe	backup.exe
PID 1868 wrote to memory of 1988	1868	System Restore.exe	backup.exe
PID 1988 wrote to memory of 1968	1988	backup.exe	backup.exe
PID 1988 wrote to memory of 1968	1988	backup.exe	backup.exe
PID 1988 wrote to memory of 1968	1988	backup.exe	backup.exe
PID 1988 wrote to memory of 1968	1988	backup.exe	backup.exe
PID 1968 wrote to memory of 468	1968	backup.exe	backup.exe
PID 1968 wrote to memory of 468	1968	backup.exe	backup.exe
PID 1968 wrote to memory of 468	1968	backup.exe	backup.exe
PID 1968 wrote to memory of 468	1968	backup.exe	backup.exe
PID 1988 wrote to memory of 1680	1988	backup.exe	backup.exe
PID 1988 wrote to memory of 1680	1988	backup.exe	backup.exe
PID 1988 wrote to memory of 1680	1988	backup.exe	backup.exe
PID 1988 wrote to memory of 1680	1988	backup.exe	backup.exe
PID 1680 wrote to memory of 856	1680	backup.exe	backup.exe
PID 1680 wrote to memory of 856	1680	backup.exe	backup.exe
PID 1680 wrote to memory of 856	1680	backup.exe	backup.exe
PID 1680 wrote to memory of 856	1680	backup.exe	backup.exe
PID 856 wrote to memory of 1424	856	backup.exe	backup.exe
PID 856 wrote to memory of 1424	856	backup.exe	backup.exe
PID 856 wrote to memory of 1424	856	backup.exe	backup.exe
PID 856 wrote to memory of 1424	856	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe
"C:\Users\Admin\AppData\Local\Temp\1ea982a6ec0b3b48648fcf90c3cc1bd5d490d58166376dd497369a0a950e2cb7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\818461812\backup.exe
C:\Users\Admin\AppData\Local\Temp\818461812\backup.exe C:\Users\Admin\AppData\Local\Temp\818461812\
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\System Restore.exe
"\System Restore.exe" \
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:536

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:468

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1424

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:924

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:812

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1160

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1236

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1036

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1404

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:752

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1928

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1108

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:468

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:732

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Executes dropped EXE
PID:1560

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1676

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:384

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1952

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:812

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1708

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1480

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1964

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1696

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:748

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1076

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
PID:1928

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
PID:1236

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
PID:764

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1804

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
PID:1300

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1568

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
- System policy modification
PID:1732

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1252

C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\data.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1692

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1972

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
- Disables RegEdit via registry modification
PID:1144

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1364

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
PID:1340

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\update.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1952

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
PID:1376

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:820

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Drops file in Program Files directory
PID:2028

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:884

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
PID:1712

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
PID:2024

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
PID:1752

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
PID:1756

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:988

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
PID:1684

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1736

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
- System policy modification
PID:1068

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1036

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
9⤵
PID:1668

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1884

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
PID:1996

C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
PID:536

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Drops file in Program Files directory
PID:1976

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:2008

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1744

C:\Program Files\Common Files\System\ado\en-US\backup.exe
"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
PID:1348

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
- Disables RegEdit via registry modification
PID:1556

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1300

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
- Disables RegEdit via registry modification
PID:1144

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:936

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
PID:1928

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:748

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
- System policy modification
PID:1252

C:\Program Files\Common Files\System\fr-FR\update.exe
"C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
PID:1900

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1208

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
- Disables RegEdit via registry modification
PID:1408

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
- Disables RegEdit via registry modification
PID:1592

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
- System policy modification
PID:2028

C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe
"C:\Program Files\Common Files\System\msadc\en-US\System Restore.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
PID:1548

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1188

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
PID:1116

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
- Disables RegEdit via registry modification
PID:824

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
PID:648

C:\Program Files\Common Files\System\Ole DB\backup.exe
"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
- Drops file in Program Files directory
PID:1060

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:544

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:1520

C:\Program Files\Common Files\System\Ole DB\es-ES\data.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\data.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1192

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
PID:936

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
PID:1724

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
PID:1720

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Drops file in Program Files directory
PID:1948

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:732

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
PID:932

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:920

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
- Disables RegEdit via registry modification
PID:1724

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:1620

C:\Program Files\DVD Maker\Shared\update.exe
"C:\Program Files\DVD Maker\Shared\update.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:1436

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1576

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
PID:1348

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
PID:764

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:956

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:1252

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
PID:1504

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\update.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
PID:1208

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
- Disables RegEdit via registry modification
PID:2024

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
PID:1736

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:916

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
8⤵
PID:1996

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
8⤵
PID:1696

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
8⤵
PID:876

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
8⤵
PID:1224

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
8⤵
- Disables RegEdit via registry modification
PID:1240

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
8⤵
- Disables RegEdit via registry modification
PID:384

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
8⤵
PID:676

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
8⤵
PID:1560

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
8⤵
- Disables RegEdit via registry modification
PID:1952

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
8⤵
PID:2016

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
8⤵
PID:1408

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:532

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1740

C:\Program Files\Google\Chrome\Application\backup.exe
"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
7⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1652

C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
8⤵
- Drops file in Program Files directory
PID:1884

C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
9⤵
PID:916

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
9⤵
PID:1548

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
9⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1116

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1680

C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
9⤵
PID:648

C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
9⤵
- Disables RegEdit via registry modification
PID:952

C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\System Restore.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1676

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
9⤵
- Drops file in Program Files directory
PID:956

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
10⤵
PID:1900

C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
11⤵
PID:1340

C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
"C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1520

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
PID:1748

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
PID:384

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:2000

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:932

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
PID:468

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:1908

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:1500

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:268

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
PID:1456

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:1740

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:1484

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
PID:748

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:1756

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:1436

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:1576

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
PID:1464

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1564

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- System policy modification
PID:1608

C:\Program Files (x86)\Adobe\Reader 9.0\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1692

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:1944

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Drops file in Program Files directory
PID:1972

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
PID:880

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
- Disables RegEdit via registry modification
PID:1628

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1480

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
- Drops file in Program Files directory
- System policy modification
PID:752

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:2020

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
PID:1224

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
PID:1108

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:432

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:1920

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
- Drops file in Program Files directory
PID:2044

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
- System policy modification
PID:932

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:884

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
PID:2032

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
10⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1628

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
PID:1056

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
- Disables RegEdit via registry modification
- System policy modification
PID:2020

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
10⤵
PID:752

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
9⤵
- Modifies visibility of file extensions in Explorer
PID:672

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
10⤵
PID:1592

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
- Drops file in Program Files directory
PID:764

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
PID:1364

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
- System policy modification
PID:1144

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
PID:1520

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Drops file in Program Files directory
PID:1160

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:1504

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
PID:1756

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1208

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
PID:1620

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
- Disables RegEdit via registry modification
PID:856

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
- Drops file in Program Files directory
- System policy modification
PID:1976

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
10⤵
- Drops file in Program Files directory
PID:1888

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
11⤵
- System policy modification
PID:1716

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1744

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
- System policy modification
PID:2020

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
9⤵
PID:1760

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
10⤵
- System policy modification
PID:1592

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
10⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:1240

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
PID:384

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
PID:1508

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:1376

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:1952

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1752

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:936

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
- Drops file in Program Files directory
PID:1768

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
PID:1288

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1552

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
PID:316

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
PID:1624

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\update.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\update.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
10⤵
PID:1036

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
PID:1060

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
PID:1964

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
7⤵
PID:924

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
8⤵
- System policy modification
PID:916

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:536

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1716

C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
7⤵
- Disables RegEdit via registry modification
PID:1620

C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1076

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1428

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
8⤵
- Disables RegEdit via registry modification
PID:340

C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
7⤵
PID:752

C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1424

C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
7⤵
PID:820

C:\Program Files (x86)\Common Files\microsoft shared\Help\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
7⤵
- Drops file in Program Files directory
PID:1588

C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
8⤵
PID:1592

C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1908

C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
8⤵
PID:764

C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1164

C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
8⤵
PID:1144

C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
8⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:1560

C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
8⤵
- System policy modification
PID:1340

C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
8⤵
PID:2004

C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
8⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1148

C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
8⤵
- Disables RegEdit via registry modification
PID:1240

C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1500

C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1160

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
8⤵
PID:2016

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
8⤵
- Disables RegEdit via registry modification
PID:664

C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
8⤵
PID:1664

C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
8⤵
- System policy modification
PID:1708

C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
8⤵
- System policy modification
PID:1228

C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
8⤵
PID:1544

C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
PID:1736

C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
8⤵
PID:1036

C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
8⤵
PID:316

C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1836

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
7⤵
- Disables RegEdit via registry modification
PID:1964

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
8⤵
PID:1668

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:808

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
- System policy modification
PID:1424

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1592

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
8⤵
PID:384

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1252

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
8⤵
PID:1520

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
8⤵
PID:1952

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
7⤵
- Drops file in Program Files directory
PID:1664

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
8⤵
PID:1228

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
8⤵
- System policy modification
PID:1568

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
8⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1060

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1836

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
9⤵
PID:1636

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
9⤵
PID:1668

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
9⤵
- Modifies visibility of file extensions in Explorer
PID:824

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
9⤵
PID:820

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1928

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
9⤵
PID:1676

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
9⤵
PID:812

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
9⤵
PID:1588

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
9⤵
PID:1768

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
9⤵
PID:1724

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
9⤵
PID:340

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
9⤵
PID:1592

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
9⤵
PID:432

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
9⤵
PID:1480

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
9⤵
PID:2004

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
9⤵
PID:880

C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:916

C:\Program Files (x86)\Common Files\microsoft shared\Portal\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
7⤵
PID:1348

C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
7⤵
PID:532

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
7⤵
PID:1588

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
7⤵
PID:1056

C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
7⤵
PID:1752

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:1576

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
6⤵
PID:924

C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
7⤵
PID:1664

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
PID:1732

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
PID:1984

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
PID:1188

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:2032

C:\Program Files (x86)\Google\Policies\backup.exe
"C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
6⤵
PID:1428

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:1560

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
PID:2020

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:1636

C:\Program Files (x86)\Microsoft Analysis Services\data.exe
"C:\Program Files (x86)\Microsoft Analysis Services\data.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
- Disables RegEdit via registry modification
PID:820

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
6⤵
PID:520

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:1388

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
5⤵
PID:1288

C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
"C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
5⤵
PID:1488

C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
5⤵
PID:816

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- System policy modification
PID:1624

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1768

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:924

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
- Modifies visibility of file extensions in Explorer
PID:536

C:\Users\Admin\Documents\data.exe
C:\Users\Admin\Documents\data.exe C:\Users\Admin\Documents\
6⤵
PID:1076

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:1224

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:648

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:1108

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
- Disables RegEdit via registry modification
- System policy modification
PID:1676

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1920

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
PID:1580

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:1588

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
PID:2016

C:\Users\Public\data.exe
C:\Users\Public\data.exe C:\Users\Public\
5⤵
PID:1756

C:\Users\Public\Documents\System Restore.exe
"C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\
6⤵
- System policy modification
PID:1544

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:1576

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
- Modifies visibility of file extensions in Explorer
PID:316

C:\Users\Public\Music\Sample Music\backup.exe
"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
7⤵
PID:1996

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- System policy modification
PID:1056

C:\Users\Public\Pictures\Sample Pictures\backup.exe
"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
7⤵
PID:1804

C:\Users\Public\Recorded TV\backup.exe
"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
6⤵
PID:1680

C:\Users\Public\Recorded TV\Sample Media\backup.exe
"C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
7⤵
PID:1224

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
PID:1424

C:\Users\Public\Videos\Sample Videos\backup.exe
"C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
7⤵
PID:764

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
PID:1192

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
PID:1760

C:\Windows\AppCompat\update.exe
C:\Windows\AppCompat\update.exe C:\Windows\AppCompat\
5⤵
- Modifies visibility of file extensions in Explorer
PID:1952

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
PID:1648

C:\Windows\AppPatch\AppPatch64\backup.exe
C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
6⤵
PID:1504

C:\Windows\AppPatch\Custom\backup.exe
C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
6⤵
PID:1896

C:\Windows\AppPatch\Custom\Custom64\data.exe
C:\Windows\AppPatch\Custom\Custom64\data.exe C:\Windows\AppPatch\Custom\Custom64\
7⤵
PID:1608

C:\Windows\AppPatch\de-DE\backup.exe
C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
6⤵
PID:1916

C:\Windows\AppPatch\en-US\backup.exe
C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
6⤵
PID:1760

C:\Windows\AppPatch\es-ES\backup.exe
C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
6⤵
PID:1544

C:\Windows\AppPatch\fr-FR\backup.exe
C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
6⤵
PID:852

C:\Windows\AppPatch\it-IT\backup.exe
C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
6⤵
PID:1900

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
PID:536

C:\Windows\Branding\backup.exe
C:\Windows\Branding\backup.exe C:\Windows\Branding\
5⤵
PID:2040

C:\Windows\CSC\backup.exe
C:\Windows\CSC\backup.exe C:\Windows\CSC\
5⤵
PID:1712

C:\Windows\Cursors\backup.exe
C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
5⤵
PID:1068

C:\Windows\debug\backup.exe
C:\Windows\debug\backup.exe C:\Windows\debug\
5⤵
PID:1696

C:\Windows\de-DE\backup.exe
C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
5⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1952

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
3e12134523b55420c9c0d8c400e76f93

SHA1
4c8766c5545cb8ac6e9abd8c7dbe464f109e1880

SHA256
15c973f742d442322fa91f8bf74d8d23caa977add01b1810d0acde6f2672002e

SHA512
fbb3f44f50894d2bb11dac022617ff5b489607c5b9982f51b5676213974e93efb6a1f7281b4e30196ac710830ea2e39b7fc44319057d517ad0691be6f9ef8425

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
2bc4581c8109d7f3af0e7519347f6ba1

SHA1
fe9c7d299b30c83e4e4bb161e744783a7cd38ee3

SHA256
9f25a4c071eeabb02b3708d580a96c0268f6d1ab35c1b37c1cbaeeb1e4db0d31

SHA512
bc3db2b0f4af33d35c9ecfc2bcce7db5fb29d3ca6df71d9af3f5fad7e079a8de7f1cd1a7712675c22017f74ecdf708c255cceaa1d3fe474054527b49fbaedc6a

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
2bc4581c8109d7f3af0e7519347f6ba1

SHA1
fe9c7d299b30c83e4e4bb161e744783a7cd38ee3

SHA256
9f25a4c071eeabb02b3708d580a96c0268f6d1ab35c1b37c1cbaeeb1e4db0d31

SHA512
bc3db2b0f4af33d35c9ecfc2bcce7db5fb29d3ca6df71d9af3f5fad7e079a8de7f1cd1a7712675c22017f74ecdf708c255cceaa1d3fe474054527b49fbaedc6a

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
b2c1fd7c5417b5ca8ac5eea0027596a7

SHA1
5ede26cedfeacece0ab9e2ce91ee99fa7b23888a

SHA256
5c8adfd793a08370cc712b2d5041a2d7b5900e14f4e6143f57b2e88e48164e1b

SHA512
c1f4f7c310751955b6ce09a4bdff600fe1f713e24bcff8ae1efe6e86510a11478bf1ff9e7aaa54fab5ff34e66349e12719216991cdae55b0ec31fac17eb92cc6

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
7407246b1facde685506a62725d302fc

SHA1
1d2dca2a19de78e7f098a4b1baeeb31344d9cc24

SHA256
c0841a72aa00c821d60f9282338d4eeb2787dc1140de18258005ff8b52b6cc00

SHA512
659fe0d199f2226abbe7400e52581964fd5980f2370bf303d9b655f6d29f9162633a26cdf61052a11a63683e2a96f1eaac46ed0706378d027141dc980147f01f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
b2c1fd7c5417b5ca8ac5eea0027596a7

SHA1
5ede26cedfeacece0ab9e2ce91ee99fa7b23888a

SHA256
5c8adfd793a08370cc712b2d5041a2d7b5900e14f4e6143f57b2e88e48164e1b

SHA512
c1f4f7c310751955b6ce09a4bdff600fe1f713e24bcff8ae1efe6e86510a11478bf1ff9e7aaa54fab5ff34e66349e12719216991cdae55b0ec31fac17eb92cc6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
b2c1fd7c5417b5ca8ac5eea0027596a7

SHA1
5ede26cedfeacece0ab9e2ce91ee99fa7b23888a

SHA256
5c8adfd793a08370cc712b2d5041a2d7b5900e14f4e6143f57b2e88e48164e1b

SHA512
c1f4f7c310751955b6ce09a4bdff600fe1f713e24bcff8ae1efe6e86510a11478bf1ff9e7aaa54fab5ff34e66349e12719216991cdae55b0ec31fac17eb92cc6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
6a1ac0ce33b051053d6b1e1641fde9d4

SHA1
97b047c16407d063614590765c06dc26687a83d4

SHA256
ec824235aa7db80e9622a7db6668511ba2b253f35ec9a4ee0837cc1f407358fb

SHA512
b9282868f367d241937364abd928ec84b4d68b248fa542efcef5d18e2c5b6fd3e25278a634409539e80d751dd90b2dfa16aa9d852c994db4146ec7a9b8eee3bb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
7407246b1facde685506a62725d302fc

SHA1
1d2dca2a19de78e7f098a4b1baeeb31344d9cc24

SHA256
c0841a72aa00c821d60f9282338d4eeb2787dc1140de18258005ff8b52b6cc00

SHA512
659fe0d199f2226abbe7400e52581964fd5980f2370bf303d9b655f6d29f9162633a26cdf61052a11a63683e2a96f1eaac46ed0706378d027141dc980147f01f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
7407246b1facde685506a62725d302fc

SHA1
1d2dca2a19de78e7f098a4b1baeeb31344d9cc24

SHA256
c0841a72aa00c821d60f9282338d4eeb2787dc1140de18258005ff8b52b6cc00

SHA512
659fe0d199f2226abbe7400e52581964fd5980f2370bf303d9b655f6d29f9162633a26cdf61052a11a63683e2a96f1eaac46ed0706378d027141dc980147f01f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
6a1ac0ce33b051053d6b1e1641fde9d4

SHA1
97b047c16407d063614590765c06dc26687a83d4

SHA256
ec824235aa7db80e9622a7db6668511ba2b253f35ec9a4ee0837cc1f407358fb

SHA512
b9282868f367d241937364abd928ec84b4d68b248fa542efcef5d18e2c5b6fd3e25278a634409539e80d751dd90b2dfa16aa9d852c994db4146ec7a9b8eee3bb

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
fefaff3165c8ac648670e5ef6e819cf4

SHA1
bf32fd25840ebc74ceb86aabf261f58881bf34e6

SHA256
3d7aa4c93637b985a1041ae65a795687613ef1ec7abb11efedaec4b961905bc5

SHA512
4b4bf305a3ba64ecf27e9a52ac0bdbc69b6f1d8774091e7f2fe350d866ef50fe02ede51f142903438be3c06d93e06ae293ff6aa1fac8f0b14090cb08782d09da

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
fefaff3165c8ac648670e5ef6e819cf4

SHA1
bf32fd25840ebc74ceb86aabf261f58881bf34e6

SHA256
3d7aa4c93637b985a1041ae65a795687613ef1ec7abb11efedaec4b961905bc5

SHA512
4b4bf305a3ba64ecf27e9a52ac0bdbc69b6f1d8774091e7f2fe350d866ef50fe02ede51f142903438be3c06d93e06ae293ff6aa1fac8f0b14090cb08782d09da

Download Submit
C:\System Restore.exe
Filesize
72KB

MD5
ee9a8c5b8ed49bb56b2435042dc1e0ea

SHA1
c7f311e88e5e186b7040985b191aa492711c5961

SHA256
a3de0f236aab9a1f4e812e9b1641963c200efca8c038508a0ca4db81c4693b6b

SHA512
ad7ecf28a394fb816bc0e8c4c908e7d9f4d4eeef6bda2fe29ed59aea94b8bb6edf47d82491ff8a5bcb61fcdcdb2b2b8c0c3549a37f110d968acf5de727739b26

Download Submit
C:\System Restore.exe
Filesize
72KB

MD5
ee9a8c5b8ed49bb56b2435042dc1e0ea

SHA1
c7f311e88e5e186b7040985b191aa492711c5961

SHA256
a3de0f236aab9a1f4e812e9b1641963c200efca8c038508a0ca4db81c4693b6b

SHA512
ad7ecf28a394fb816bc0e8c4c908e7d9f4d4eeef6bda2fe29ed59aea94b8bb6edf47d82491ff8a5bcb61fcdcdb2b2b8c0c3549a37f110d968acf5de727739b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\818461812\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
C:\Users\Admin\AppData\Local\Temp\818461812\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
3e12134523b55420c9c0d8c400e76f93

SHA1
4c8766c5545cb8ac6e9abd8c7dbe464f109e1880

SHA256
15c973f742d442322fa91f8bf74d8d23caa977add01b1810d0acde6f2672002e

SHA512
fbb3f44f50894d2bb11dac022617ff5b489607c5b9982f51b5676213974e93efb6a1f7281b4e30196ac710830ea2e39b7fc44319057d517ad0691be6f9ef8425

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
3e12134523b55420c9c0d8c400e76f93

SHA1
4c8766c5545cb8ac6e9abd8c7dbe464f109e1880

SHA256
15c973f742d442322fa91f8bf74d8d23caa977add01b1810d0acde6f2672002e

SHA512
fbb3f44f50894d2bb11dac022617ff5b489607c5b9982f51b5676213974e93efb6a1f7281b4e30196ac710830ea2e39b7fc44319057d517ad0691be6f9ef8425

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
2bc4581c8109d7f3af0e7519347f6ba1

SHA1
fe9c7d299b30c83e4e4bb161e744783a7cd38ee3

SHA256
9f25a4c071eeabb02b3708d580a96c0268f6d1ab35c1b37c1cbaeeb1e4db0d31

SHA512
bc3db2b0f4af33d35c9ecfc2bcce7db5fb29d3ca6df71d9af3f5fad7e079a8de7f1cd1a7712675c22017f74ecdf708c255cceaa1d3fe474054527b49fbaedc6a

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
2bc4581c8109d7f3af0e7519347f6ba1

SHA1
fe9c7d299b30c83e4e4bb161e744783a7cd38ee3

SHA256
9f25a4c071eeabb02b3708d580a96c0268f6d1ab35c1b37c1cbaeeb1e4db0d31

SHA512
bc3db2b0f4af33d35c9ecfc2bcce7db5fb29d3ca6df71d9af3f5fad7e079a8de7f1cd1a7712675c22017f74ecdf708c255cceaa1d3fe474054527b49fbaedc6a

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
b2c1fd7c5417b5ca8ac5eea0027596a7

SHA1
5ede26cedfeacece0ab9e2ce91ee99fa7b23888a

SHA256
5c8adfd793a08370cc712b2d5041a2d7b5900e14f4e6143f57b2e88e48164e1b

SHA512
c1f4f7c310751955b6ce09a4bdff600fe1f713e24bcff8ae1efe6e86510a11478bf1ff9e7aaa54fab5ff34e66349e12719216991cdae55b0ec31fac17eb92cc6

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
b2c1fd7c5417b5ca8ac5eea0027596a7

SHA1
5ede26cedfeacece0ab9e2ce91ee99fa7b23888a

SHA256
5c8adfd793a08370cc712b2d5041a2d7b5900e14f4e6143f57b2e88e48164e1b

SHA512
c1f4f7c310751955b6ce09a4bdff600fe1f713e24bcff8ae1efe6e86510a11478bf1ff9e7aaa54fab5ff34e66349e12719216991cdae55b0ec31fac17eb92cc6

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
7407246b1facde685506a62725d302fc

SHA1
1d2dca2a19de78e7f098a4b1baeeb31344d9cc24

SHA256
c0841a72aa00c821d60f9282338d4eeb2787dc1140de18258005ff8b52b6cc00

SHA512
659fe0d199f2226abbe7400e52581964fd5980f2370bf303d9b655f6d29f9162633a26cdf61052a11a63683e2a96f1eaac46ed0706378d027141dc980147f01f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
7407246b1facde685506a62725d302fc

SHA1
1d2dca2a19de78e7f098a4b1baeeb31344d9cc24

SHA256
c0841a72aa00c821d60f9282338d4eeb2787dc1140de18258005ff8b52b6cc00

SHA512
659fe0d199f2226abbe7400e52581964fd5980f2370bf303d9b655f6d29f9162633a26cdf61052a11a63683e2a96f1eaac46ed0706378d027141dc980147f01f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
b2c1fd7c5417b5ca8ac5eea0027596a7

SHA1
5ede26cedfeacece0ab9e2ce91ee99fa7b23888a

SHA256
5c8adfd793a08370cc712b2d5041a2d7b5900e14f4e6143f57b2e88e48164e1b

SHA512
c1f4f7c310751955b6ce09a4bdff600fe1f713e24bcff8ae1efe6e86510a11478bf1ff9e7aaa54fab5ff34e66349e12719216991cdae55b0ec31fac17eb92cc6

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
b2c1fd7c5417b5ca8ac5eea0027596a7

SHA1
5ede26cedfeacece0ab9e2ce91ee99fa7b23888a

SHA256
5c8adfd793a08370cc712b2d5041a2d7b5900e14f4e6143f57b2e88e48164e1b

SHA512
c1f4f7c310751955b6ce09a4bdff600fe1f713e24bcff8ae1efe6e86510a11478bf1ff9e7aaa54fab5ff34e66349e12719216991cdae55b0ec31fac17eb92cc6

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
6a1ac0ce33b051053d6b1e1641fde9d4

SHA1
97b047c16407d063614590765c06dc26687a83d4

SHA256
ec824235aa7db80e9622a7db6668511ba2b253f35ec9a4ee0837cc1f407358fb

SHA512
b9282868f367d241937364abd928ec84b4d68b248fa542efcef5d18e2c5b6fd3e25278a634409539e80d751dd90b2dfa16aa9d852c994db4146ec7a9b8eee3bb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
6a1ac0ce33b051053d6b1e1641fde9d4

SHA1
97b047c16407d063614590765c06dc26687a83d4

SHA256
ec824235aa7db80e9622a7db6668511ba2b253f35ec9a4ee0837cc1f407358fb

SHA512
b9282868f367d241937364abd928ec84b4d68b248fa542efcef5d18e2c5b6fd3e25278a634409539e80d751dd90b2dfa16aa9d852c994db4146ec7a9b8eee3bb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
7407246b1facde685506a62725d302fc

SHA1
1d2dca2a19de78e7f098a4b1baeeb31344d9cc24

SHA256
c0841a72aa00c821d60f9282338d4eeb2787dc1140de18258005ff8b52b6cc00

SHA512
659fe0d199f2226abbe7400e52581964fd5980f2370bf303d9b655f6d29f9162633a26cdf61052a11a63683e2a96f1eaac46ed0706378d027141dc980147f01f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
7407246b1facde685506a62725d302fc

SHA1
1d2dca2a19de78e7f098a4b1baeeb31344d9cc24

SHA256
c0841a72aa00c821d60f9282338d4eeb2787dc1140de18258005ff8b52b6cc00

SHA512
659fe0d199f2226abbe7400e52581964fd5980f2370bf303d9b655f6d29f9162633a26cdf61052a11a63683e2a96f1eaac46ed0706378d027141dc980147f01f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
6a1ac0ce33b051053d6b1e1641fde9d4

SHA1
97b047c16407d063614590765c06dc26687a83d4

SHA256
ec824235aa7db80e9622a7db6668511ba2b253f35ec9a4ee0837cc1f407358fb

SHA512
b9282868f367d241937364abd928ec84b4d68b248fa542efcef5d18e2c5b6fd3e25278a634409539e80d751dd90b2dfa16aa9d852c994db4146ec7a9b8eee3bb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
6a1ac0ce33b051053d6b1e1641fde9d4

SHA1
97b047c16407d063614590765c06dc26687a83d4

SHA256
ec824235aa7db80e9622a7db6668511ba2b253f35ec9a4ee0837cc1f407358fb

SHA512
b9282868f367d241937364abd928ec84b4d68b248fa542efcef5d18e2c5b6fd3e25278a634409539e80d751dd90b2dfa16aa9d852c994db4146ec7a9b8eee3bb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
6a1ac0ce33b051053d6b1e1641fde9d4

SHA1
97b047c16407d063614590765c06dc26687a83d4

SHA256
ec824235aa7db80e9622a7db6668511ba2b253f35ec9a4ee0837cc1f407358fb

SHA512
b9282868f367d241937364abd928ec84b4d68b248fa542efcef5d18e2c5b6fd3e25278a634409539e80d751dd90b2dfa16aa9d852c994db4146ec7a9b8eee3bb

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
57177af5b0c2499a729bc5c9f67dfce7

SHA1
9fcb9c213a3445199e576dff64a754b15d013b77

SHA256
287dc0a377fbe68f49e6fe8f765bfe91d94c65fe4fb42583a863afa73b6cb987

SHA512
b5056c8522f52c1d8fdb7984fd2cac24e5ffb06a7ef017a6c456df46f5bcc582299c7d788592012f6d94a4332e8e1fc57cd206618fe55b23dfca8752edafe9af

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
fefaff3165c8ac648670e5ef6e819cf4

SHA1
bf32fd25840ebc74ceb86aabf261f58881bf34e6

SHA256
3d7aa4c93637b985a1041ae65a795687613ef1ec7abb11efedaec4b961905bc5

SHA512
4b4bf305a3ba64ecf27e9a52ac0bdbc69b6f1d8774091e7f2fe350d866ef50fe02ede51f142903438be3c06d93e06ae293ff6aa1fac8f0b14090cb08782d09da

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
fefaff3165c8ac648670e5ef6e819cf4

SHA1
bf32fd25840ebc74ceb86aabf261f58881bf34e6

SHA256
3d7aa4c93637b985a1041ae65a795687613ef1ec7abb11efedaec4b961905bc5

SHA512
4b4bf305a3ba64ecf27e9a52ac0bdbc69b6f1d8774091e7f2fe350d866ef50fe02ede51f142903438be3c06d93e06ae293ff6aa1fac8f0b14090cb08782d09da

Download Submit
\Users\Admin\AppData\Local\Temp\818461812\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\818461812\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
59c0eeeb1bb32fc2fe1ee10cca05a858

SHA1
474e250b80c799f5403c5b260e8ad369b987d8a3

SHA256
a3d50124c04006a5c400a77ea62fa08312df48b0d13f96c2bcc031ee0a0d3195

SHA512
e817fe6643d568958dd94d2ff0c2266d99c1df85944fb5ce8c30f46f3e38cfb9e5dc6471b081f455f38d661aa35c2eebb56e6d9115b55fb192aee493004ed831

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
f3c89fe1baf7537efeeb8ba5dd77e2de

SHA1
a63b50ebf64683462859300a2c301d91135d92cb

SHA256
888f20c9a7370c802a0309faee3eddc53ddfd19dc0aa3e35bcb879fe7fc11375

SHA512
4934a0cc896a6c595729ecf2fec45a88d68c42a5fd88d964aab423dfa31a21a61ef7890c20babfb5d5cbac8173e84db00702d9f2c19cf02d39d2181bbb73f856

Download Submit
memory/384-257-0x0000000000000000-mapping.dmp

Download
memory/468-236-0x0000000000000000-mapping.dmp

Download
memory/468-135-0x0000000000000000-mapping.dmp

Download
memory/536-114-0x0000000000000000-mapping.dmp

Download
memory/732-245-0x0000000000000000-mapping.dmp

Download
memory/748-311-0x0000000000000000-mapping.dmp

Download
memory/752-218-0x0000000000000000-mapping.dmp

Download
memory/812-182-0x0000000000000000-mapping.dmp

Download
memory/812-269-0x0000000000000000-mapping.dmp

Download
memory/856-148-0x0000000000000000-mapping.dmp

Download
memory/880-88-0x0000000000000000-mapping.dmp

Download
memory/916-212-0x0000000000000000-mapping.dmp

Download
memory/924-161-0x0000000000000000-mapping.dmp

Download
memory/940-70-0x0000000000000000-mapping.dmp

Download
memory/1036-209-0x0000000000000000-mapping.dmp

Download
memory/1092-98-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1092-118-0x0000000073F71000-0x0000000073F73000-memory.dmp

Filesize
8KB

Download
memory/1108-233-0x0000000000000000-mapping.dmp

Download
memory/1116-302-0x0000000000000000-mapping.dmp

Download
memory/1160-272-0x0000000000000000-mapping.dmp

Download
memory/1160-185-0x0000000000000000-mapping.dmp

Download
memory/1192-76-0x0000000000000000-mapping.dmp

Download
memory/1236-206-0x0000000000000000-mapping.dmp

Download
memory/1300-239-0x0000000000000000-mapping.dmp

Download
memory/1340-174-0x0000000000000000-mapping.dmp

Download
memory/1376-263-0x0000000000000000-mapping.dmp

Download
memory/1404-215-0x0000000000000000-mapping.dmp

Download
memory/1408-82-0x0000000000000000-mapping.dmp

Download
memory/1424-249-0x0000000000000000-mapping.dmp

Download
memory/1424-155-0x0000000000000000-mapping.dmp

Download
memory/1468-296-0x0000000000000000-mapping.dmp

Download
memory/1472-281-0x0000000000000000-mapping.dmp

Download
memory/1472-194-0x0000000000000000-mapping.dmp

Download
memory/1480-293-0x0000000000000000-mapping.dmp

Download
memory/1508-168-0x0000000000000000-mapping.dmp

Download
memory/1552-221-0x0000000000000000-mapping.dmp

Download
memory/1560-252-0x0000000000000000-mapping.dmp

Download
memory/1568-242-0x0000000000000000-mapping.dmp

Download
memory/1576-107-0x0000000000000000-mapping.dmp

Download
memory/1676-253-0x0000000000000000-mapping.dmp

Download
memory/1680-141-0x0000000000000000-mapping.dmp

Download
memory/1696-308-0x0000000000000000-mapping.dmp

Download
memory/1708-191-0x0000000000000000-mapping.dmp

Download
memory/1708-278-0x0000000000000000-mapping.dmp

Download
memory/1720-290-0x0000000000000000-mapping.dmp

Download
memory/1720-203-0x0000000000000000-mapping.dmp

Download
memory/1736-200-0x0000000000000000-mapping.dmp

Download
memory/1736-94-0x0000000000000000-mapping.dmp

Download
memory/1736-287-0x0000000000000000-mapping.dmp

Download
memory/1740-197-0x0000000000000000-mapping.dmp

Download
memory/1740-284-0x0000000000000000-mapping.dmp

Download
memory/1776-58-0x0000000000000000-mapping.dmp

Download
memory/1868-100-0x0000000000000000-mapping.dmp

Download
memory/1888-227-0x0000000000000000-mapping.dmp

Download
memory/1928-230-0x0000000000000000-mapping.dmp

Download
memory/1952-64-0x0000000000000000-mapping.dmp

Download
memory/1952-260-0x0000000000000000-mapping.dmp

Download
memory/1964-305-0x0000000000000000-mapping.dmp

Download
memory/1968-128-0x0000000000000000-mapping.dmp

Download
memory/1988-121-0x0000000000000000-mapping.dmp

Download
memory/1996-299-0x0000000000000000-mapping.dmp

Download
memory/2008-224-0x0000000000000000-mapping.dmp

Download
memory/2024-275-0x0000000000000000-mapping.dmp

Download
memory/2024-188-0x0000000000000000-mapping.dmp

Download
memory/2040-266-0x0000000000000000-mapping.dmp

Download
memory/2040-179-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads