5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764

Analysis

max time kernel
66s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
Size

72KB
MD5

019903ece4c3f084cfcf3b69a491749e
SHA1

888f8d31f08ef96c1f6017ad8c9f3b7b20005471
SHA256

5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764
SHA512

184c1f026612a4734c6ff511ac359ed4381af2e8f0ebaa0f392d54f07dc69bc872624b6610cea2011293fad1182ac969ff824a8444aa349b80519471abf7bc1e
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2V:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPh

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2016	backup.exe
1784	backup.exe
580	update.exe
268	backup.exe
1724	backup.exe
336	backup.exe
884	System Restore.exe
816	backup.exe
2036	backup.exe
1176	backup.exe
1904	backup.exe
2004	backup.exe
2032	backup.exe
1524	backup.exe
960	backup.exe
1120	backup.exe
864	backup.exe
1060	backup.exe
1592	backup.exe
1732	System Restore.exe
1204	backup.exe
1980	backup.exe
1984	backup.exe
1960	backup.exe
1944	backup.exe
588	backup.exe
1704	backup.exe
1552	backup.exe
2024	backup.exe
1456	backup.exe
1968	backup.exe
1444	backup.exe
1480	backup.exe
1884	data.exe
972	backup.exe
1632	backup.exe
1920	backup.exe
432	backup.exe
1828	backup.exe
924	backup.exe
1668	backup.exe
1072	System Restore.exe
1620	backup.exe
888	backup.exe
860	backup.exe
468	backup.exe
1464	backup.exe
1936	backup.exe
520	backup.exe
360	backup.exe
836	backup.exe
1368	backup.exe
1792	backup.exe
1600	backup.exe
2028	backup.exe
1208	backup.exe
1732	backup.exe
1992	backup.exe
1980	backup.exe
1516	backup.exe
1960	backup.exe
1944	backup.exe
1704	backup.exe
1184	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
580	update.exe
580	update.exe
580	update.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
816	backup.exe
816	backup.exe
2036	backup.exe
2036	backup.exe
816	backup.exe
816	backup.exe
1904	backup.exe
1904	backup.exe
2004	backup.exe
2004	backup.exe
1904	backup.exe
1904	backup.exe
1524	backup.exe
1524	backup.exe
960	backup.exe
960	backup.exe
960	backup.exe
960	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
1156	backup.exe
960	backup.exe
960	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe
1704	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe	backup.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe	backup.exe
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\BDATunePIA\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
2016	backup.exe
1784	backup.exe
580	update.exe
268	backup.exe
1724	backup.exe
336	backup.exe
884	System Restore.exe
816	backup.exe
2036	backup.exe
1176	backup.exe
1904	backup.exe
2004	backup.exe
2032	backup.exe
1524	backup.exe
960	backup.exe
1120	backup.exe
552	backup.exe
1372	backup.exe
668	backup.exe
468	backup.exe
1684	backup.exe
892	backup.exe
1696	backup.exe
1132	backup.exe
1756	backup.exe
1700	backup.exe
1368	backup.exe
1156	backup.exe
1060	backup.exe
1592	backup.exe
1732	System Restore.exe
1204	backup.exe
1980	backup.exe
1984	backup.exe
1960	backup.exe
1944	backup.exe
588	backup.exe
824	backup.exe
1536	backup.exe
1172	backup.exe
432	data.exe
2004	System Restore.exe
1260	backup.exe
1084	backup.exe
1216	backup.exe
1072	backup.exe
1476	backup.exe
984	backup.exe
900	backup.exe
860	backup.exe
620	backup.exe
980	backup.exe
684	backup.exe
796	backup.exe
520	backup.exe
1728	backup.exe
1580	backup.exe
1724	backup.exe
1816	backup.exe
1792	backup.exe
1488	backup.exe
1060	backup.exe
1704	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2016	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	27
PID 1048 wrote to memory of 2016	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	27
PID 1048 wrote to memory of 2016	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	27
PID 1048 wrote to memory of 2016	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	27
PID 1048 wrote to memory of 1784	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	28
PID 1048 wrote to memory of 1784	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	28
PID 1048 wrote to memory of 1784	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	28
PID 1048 wrote to memory of 1784	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	28
PID 1048 wrote to memory of 580	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	29
PID 1048 wrote to memory of 580	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	29
PID 1048 wrote to memory of 580	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	29
PID 1048 wrote to memory of 580	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	29
PID 1048 wrote to memory of 580	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	29
PID 1048 wrote to memory of 580	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	29
PID 1048 wrote to memory of 580	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	29
PID 1048 wrote to memory of 268	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	30
PID 1048 wrote to memory of 268	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	30
PID 1048 wrote to memory of 268	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	30
PID 1048 wrote to memory of 268	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	30
PID 1048 wrote to memory of 1724	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	31
PID 1048 wrote to memory of 1724	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	31
PID 1048 wrote to memory of 1724	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	31
PID 1048 wrote to memory of 1724	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	31
PID 1048 wrote to memory of 336	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	32
PID 1048 wrote to memory of 336	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	32
PID 1048 wrote to memory of 336	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	32
PID 1048 wrote to memory of 336	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	32
PID 1048 wrote to memory of 884	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	33
PID 1048 wrote to memory of 884	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	33
PID 1048 wrote to memory of 884	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	33
PID 1048 wrote to memory of 884	1048	5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe	33
PID 2016 wrote to memory of 816	2016	backup.exe	34
PID 2016 wrote to memory of 816	2016	backup.exe	34
PID 2016 wrote to memory of 816	2016	backup.exe	34
PID 2016 wrote to memory of 816	2016	backup.exe	34
PID 816 wrote to memory of 2036	816	backup.exe	35
PID 816 wrote to memory of 2036	816	backup.exe	35
PID 816 wrote to memory of 2036	816	backup.exe	35
PID 816 wrote to memory of 2036	816	backup.exe	35
PID 2036 wrote to memory of 1176	2036	backup.exe	36
PID 2036 wrote to memory of 1176	2036	backup.exe	36
PID 2036 wrote to memory of 1176	2036	backup.exe	36
PID 2036 wrote to memory of 1176	2036	backup.exe	36
PID 816 wrote to memory of 1904	816	backup.exe	37
PID 816 wrote to memory of 1904	816	backup.exe	37
PID 816 wrote to memory of 1904	816	backup.exe	37
PID 816 wrote to memory of 1904	816	backup.exe	37
PID 1904 wrote to memory of 2004	1904	backup.exe	38
PID 1904 wrote to memory of 2004	1904	backup.exe	38
PID 1904 wrote to memory of 2004	1904	backup.exe	38
PID 1904 wrote to memory of 2004	1904	backup.exe	38
PID 2004 wrote to memory of 2032	2004	backup.exe	39
PID 2004 wrote to memory of 2032	2004	backup.exe	39
PID 2004 wrote to memory of 2032	2004	backup.exe	39
PID 2004 wrote to memory of 2032	2004	backup.exe	39
PID 1904 wrote to memory of 1524	1904	backup.exe	40
PID 1904 wrote to memory of 1524	1904	backup.exe	40
PID 1904 wrote to memory of 1524	1904	backup.exe	40
PID 1904 wrote to memory of 1524	1904	backup.exe	40
PID 1524 wrote to memory of 960	1524	backup.exe	41
PID 1524 wrote to memory of 960	1524	backup.exe	41
PID 1524 wrote to memory of 960	1524	backup.exe	41
PID 1524 wrote to memory of 960	1524	backup.exe	41
PID 960 wrote to memory of 1120	960	backup.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe

C:\Users\Admin\AppData\Local\Temp\5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe
"C:\Users\Admin\AppData\Local\Temp\5d8c59b01867ec53013c011e22796deca9e4bff9e99a0085e89c806769a37764.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\135960365\backup.exe
  C:\Users\Admin\AppData\Local\Temp\135960365\backup.exe C:\Users\Admin\AppData\Local\Temp\135960365\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:816
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1176
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Disables RegEdit via registry modification
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1204
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1552
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:2024
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        
        PID:1456
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\data.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:1884
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:432
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Executes dropped EXE
        System policy modification
        
        PID:924
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        Executes dropped EXE
        
        PID:520
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:360
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Executes dropped EXE
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        Executes dropped EXE
        
        PID:1208
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        
        PID:1732
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1992
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        
        PID:1980
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1516
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1960
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        System policy modification
        
        PID:1704
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1184
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1884
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:976
        
        C:\Program Files\Common Files\System\ado\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\data.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:304
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2004
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        System policy modification
        
        PID:1656
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:1180
        
        C:\Program Files\Common Files\System\fr-FR\update.exe
        
        "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1952
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1408
        
        C:\Program Files\Common Files\System\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\System\ja-JP\System Restore.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1072
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:944
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1784
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:1280
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1688
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:2020
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1164
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:2000
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1148
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:520
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\update.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1724
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1588
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\data.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:884
    - - C:\Program Files\DVD Maker\data.exe
        
        "C:\Program Files\DVD Maker\data.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:452
      - C:\Program Files\DVD Maker\de-DE\System Restore.exe
        
        "C:\Program Files\DVD Maker\de-DE\System Restore.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:1292
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1208
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2024
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1984
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1708
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1156
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1528
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1260
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:924
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1388
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1372
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:796
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1756
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:836
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        System policy modification
        
        PID:1812
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1148
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1492
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:1520
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:1980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:1704
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        System policy modification
        
        PID:1884
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:1828
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:1216
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:1072
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:1784
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:1688
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:568
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2000
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1820
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        
        PID:1544
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:776
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:864
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        System policy modification
        
        PID:1380
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1456
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1044
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        
        PID:1608
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        System policy modification
        
        PID:1984
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:1960
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        System policy modification
        
        PID:1884
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        
        PID:1084
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:324
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:620
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:336
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1528
      - C:\Program Files\Internet Explorer\es-ES\update.exe
        
        "C:\Program Files\Internet Explorer\es-ES\update.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:520
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:584
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1792
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1456
      - C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1292
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        System policy modification
        
        PID:1176
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        Drops file in Program Files directory
        
        PID:1952
        
        C:\Program Files\Java\jdk1.7.0_80\bin\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\update.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:2004
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:832
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        System policy modification
        
        PID:1696
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        System policy modification
        
        PID:1756
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:1964
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\update.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        8⤵
        
        PID:1732
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        9⤵
        
        PID:1720
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        Drops file in Program Files directory
        
        PID:1544
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:552
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        9⤵
        
        PID:1972
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        9⤵
        
        PID:1476
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        9⤵
        
        PID:2008
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        8⤵
        
        PID:884
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        9⤵
        
        PID:1756
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        9⤵
        
        PID:1812
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        9⤵
        
        PID:2024
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        9⤵
        
        PID:1772
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        9⤵
        
        PID:1960
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        9⤵
        
        PID:388
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        9⤵
        Disables RegEdit via registry modification
        
        PID:568
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
        10⤵
        
        PID:1084
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        9⤵
        Disables RegEdit via registry modification
        
        PID:552
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
        9⤵
        System policy modification
        
        PID:1444
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1416
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1740
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
        10⤵
        
        PID:1656
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
        11⤵
        
        PID:888
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
        11⤵
        
        PID:588
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
        11⤵
        
        PID:1476
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
        11⤵
        
        PID:1596
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
        10⤵
        Disables RegEdit via registry modification
        
        PID:668
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
        10⤵
        
        PID:1516
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
        10⤵
        
        PID:1716
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
        10⤵
        
        PID:1960
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:388
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
        10⤵
        
        PID:452
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
        10⤵
        
        PID:296
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
        10⤵
        
        PID:1820
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1372
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1044
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1188
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1292
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:1992
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
        9⤵
        
        PID:1072
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
        9⤵
        Disables RegEdit via registry modification
        
        PID:976
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        
        PID:1792
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        
        PID:776
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        
        PID:1528
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        
        PID:2000
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        
        PID:644
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        
        PID:1708
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        
        PID:2060
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:2228
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        
        PID:2352
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
        9⤵
        
        PID:1476
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
        9⤵
        
        PID:632
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        8⤵
        
        PID:1784
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1408
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        Drops file in Program Files directory
        
        PID:1996
        
        C:\Program Files\Java\jre7\bin\dtplugin\data.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\data.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        8⤵
        
        PID:1280
        
        C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        8⤵
        
        PID:2040
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        8⤵
        
        PID:1516
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        
        PID:892
        
        C:\Program Files\Java\jre7\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1792
        
        C:\Program Files\Java\jre7\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
        8⤵
        
        PID:2124
        
        C:\Program Files\Java\jre7\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
        8⤵
        
        PID:2300
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Drops file in Program Files directory
        
        PID:1980
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        Drops file in Program Files directory
        
        PID:1216
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:892
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2020
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        Disables RegEdit via registry modification
        
        PID:568
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        
        PID:2028
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:336
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        
        PID:2008
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:588
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:1928
      - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:1548
      - C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        
        PID:2052
      - C:\Program Files\Microsoft Games\Multiplayer\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\
        6⤵
        
        PID:2236
      - C:\Program Files\Microsoft Games\Purble Place\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
        6⤵
        
        PID:2344
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1056
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1492
      - C:\Program Files\Mozilla Firefox\browser\data.exe
        
        "C:\Program Files\Mozilla Firefox\browser\data.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:2100
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:2260
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:2388
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        System policy modification
        
        PID:1516
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:900
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1520
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2220
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:2332
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:960
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1180
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        System policy modification
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:1368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1524
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        Disables RegEdit via registry modification
        
        PID:2028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        System policy modification
        
        PID:1984
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        Disables RegEdit via registry modification
        
        PID:388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2004
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Drops file in Program Files directory
        
        PID:2008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        System policy modification
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        System policy modification
        
        PID:2036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1708
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        System policy modification
        
        PID:1156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1580
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1256
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        System policy modification
        
        PID:1588
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1416
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1508
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:1720
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\System Restore.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:2036
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1704
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\update.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:984
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        System policy modification
        
        PID:1476
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2008
      - C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:1552
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:1812
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        Drops file in Program Files directory
        
        PID:576
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2028
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:1656
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:856
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:1632
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:984
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        
        PID:432
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:796
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        
        PID:1380
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        
        PID:1416
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:1716
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        
        PID:1056
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        
        PID:892
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        Disables RegEdit via registry modification
        
        PID:336
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        System policy modification
        
        PID:1700
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        
        PID:980
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        Drops file in Program Files directory
        
        PID:1312
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        8⤵
        
        PID:900
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        8⤵
        System policy modification
        
        PID:1172
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2028
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:324
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        8⤵
        System policy modification
        
        PID:1996
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:892
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1184
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1552
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:1044
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        Disables RegEdit via registry modification
        
        PID:620
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:584
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:824
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:1688
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:1372
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:1700
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        System policy modification
        
        PID:1112
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        
        PID:1156
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        8⤵
        System policy modification
        
        PID:584
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        8⤵
        
        PID:1964
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        8⤵
        System policy modification
        
        PID:1260
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        9⤵
        
        PID:388
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        9⤵
        
        PID:684
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        9⤵
        
        PID:1552
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        9⤵
        
        PID:1444
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        9⤵
        
        PID:1204
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        9⤵
        
        PID:884
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        9⤵
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        9⤵
        
        PID:1700
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        9⤵
        
        PID:2068
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        9⤵
        
        PID:2248
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        9⤵
        
        PID:2412
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1992
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        7⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        7⤵
        
        PID:468
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        7⤵
        
        PID:1532
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:1180
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2176
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:2376
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        System policy modification
        
        PID:2004
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2024
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\System Restore.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:832
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:860
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:1184
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1524
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:824
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:2168
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:2360
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        System policy modification
        
        PID:1948
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:832
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:924
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1536
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:632
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        Disables RegEdit via registry modification
        
        PID:776
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1668
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\
        9⤵
        
        PID:1988
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        System policy modification
        
        PID:1084
        
        C:\Program Files (x86)\Google\Update\Install\{5FF82FCB-66EC-4D84-9E60-60D03C1CDEBC}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{5FF82FCB-66EC-4D84-9E60-60D03C1CDEBC}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{5FF82FCB-66EC-4D84-9E60-60D03C1CDEBC}\
        8⤵
        
        PID:900
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1816
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:584
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1728
      - C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\data.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:900
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1632
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:1936
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1084
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1688
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1664
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1188
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1292
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:324
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2184
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2404
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      System policy modification
      PID:1980
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:360
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1716
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1996
      - C:\Users\Admin\Documents\System Restore.exe
        
        "C:\Users\Admin\Documents\System Restore.exe" C:\Users\Admin\Documents\
        6⤵
        
        PID:1884
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:1920
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1164
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1616
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1948
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1280
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1564
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        System policy modification
        
        PID:1524
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2036
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:2032
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1120
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:2020
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        System policy modification
        
        PID:1728
        
        C:\Users\Public\Pictures\Sample Pictures\update.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\update.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:1936
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Users\Public\Recorded TV\Sample Media\System Restore.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\System Restore.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        Disables RegEdit via registry modification
        
        PID:584
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1524
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:1132
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      System policy modification
      PID:1704
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1820
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1884
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1072
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:684
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1112
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        System policy modification
        
        PID:1724
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:584
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:644
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:1772
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1616
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:976
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:992
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:468
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Drops file in Windows directory
        
        PID:980
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\assembly\GAC\Extensibility\update.exe
        
        C:\Windows\assembly\GAC\Extensibility\update.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:644
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1740
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1988
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
        8⤵
        
        PID:2004
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
        8⤵
        System policy modification
        
        PID:1464
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1696
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1596
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        Drops file in Windows directory
        
        PID:1548
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        System policy modification
        
        PID:1292
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        Drops file in Windows directory
        
        PID:1148
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:1716
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1132
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1884
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2008
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1700
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:1640
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\
        7⤵
        Drops file in Windows directory
        
        PID:1204
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1716
        
        C:\Windows\assembly\GAC_32\BDATunePIA\update.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\update.exe C:\Windows\assembly\GAC_32\BDATunePIA\
        7⤵
        Drops file in Windows directory
        
        PID:304
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:888
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Windows directory
        
        PID:796
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1184
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\
        7⤵
        
        PID:1828
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:1960
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\
        7⤵
        
        PID:1724
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\System Restore.exe" C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\
        7⤵
        
        PID:2004
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
        7⤵
        
        PID:764
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\
        7⤵
        
        PID:1888
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:2212
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2368
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:1508
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:684
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:816
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:1944
      - C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\
        6⤵
        
        PID:2156
      - C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\
        6⤵
        
        PID:2308
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1716
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:1464
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1696
    - - C:\Windows\debug\System Restore.exe
        
        "C:\Windows\debug\System Restore.exe" C:\Windows\debug\
        5⤵
        
        PID:1816
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:1648
    - - C:\Windows\DigitalLocker\update.exe
        
        C:\Windows\DigitalLocker\update.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:2192
    - - C:\Windows\Downloaded Program Files\backup.exe
        
        "C:\Windows\Downloaded Program Files\backup.exe" C:\Windows\Downloaded Program Files\
        5⤵
        
        PID:2324
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\Low\update.exe
  C:\Users\Admin\AppData\Local\Temp\Low\update.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:580
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:268
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:336
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
444afd82576d565f25fa60256f173633

SHA1
0837d58ba0852a68f4f84221fd212cc08429d7df

SHA256
13696ce3c635d9fc3ccf48c51c186917125aa1ad51a8a595a2982d9d93c535ba

SHA512
488b8e94818ad1226c616397f99c184a519d8c30dc110cbb9a2063b7badd2076249df12e42e01dee5b02d436fed3a371ecd473f883eac310f164eb0cfad85445

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
c15debe9b2705a3975cb8b1a7fbfb258

SHA1
db68fc613fa4c7838b93519e871326544e0cfb29

SHA256
279f0162b7282dad24163e947b42c38651ca31d815fab47dc087a5a62b6ee9d4

SHA512
ea477d4f5034f4158199e491252eb30b1837c0ece2d217c16d9a8954cc01fe0b6303d56e064ed38116d225abacbae74159a7d5c38b414a006d07b539ba364f09

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
444afd82576d565f25fa60256f173633

SHA1
0837d58ba0852a68f4f84221fd212cc08429d7df

SHA256
13696ce3c635d9fc3ccf48c51c186917125aa1ad51a8a595a2982d9d93c535ba

SHA512
488b8e94818ad1226c616397f99c184a519d8c30dc110cbb9a2063b7badd2076249df12e42e01dee5b02d436fed3a371ecd473f883eac310f164eb0cfad85445

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
444afd82576d565f25fa60256f173633

SHA1
0837d58ba0852a68f4f84221fd212cc08429d7df

SHA256
13696ce3c635d9fc3ccf48c51c186917125aa1ad51a8a595a2982d9d93c535ba

SHA512
488b8e94818ad1226c616397f99c184a519d8c30dc110cbb9a2063b7badd2076249df12e42e01dee5b02d436fed3a371ecd473f883eac310f164eb0cfad85445

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1420884e8718af2f326c1cd02a40a365

SHA1
9fd8e8a13ac43708f3fe88abe8fe1a96fa48a1d6

SHA256
8bc260b91fa9fa4bf87079cd58ae5e28f461ec41c244b3e3413ed80263c73e29

SHA512
22d539e814af767926b51fa504d1d4ff0038664147a35c11fbe2399657a15d0d9a0c39090584e5f48c5f601a03e25207aa70d6cbbb5878da6d450aaaf05b0740

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
694fed1e07f29bb49acddf335476d4c5

SHA1
f761d606c0e219f2cd314bd840e9e617dada1df6

SHA256
e85536f987748f0c95c8e6d88cace9f422ae3eb4e2d27fc61729ba4d39bf3203

SHA512
3345eea14d91b032f0e06f0b69d1510ad424dbfe3dce821ea4de43cc505c5940b8b0a28ca51c36c59cc1ec855b4d9322e2b245e07b1d382003cfb797bb7c5503

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
C:\Users\Admin\AppData\Local\Temp\135960365\backup.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\135960365\backup.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
C:\backup.exe

Filesize
72KB

MD5
99f083d072db064ac6e912c983ad19a8

SHA1
3cfd6ae8e3186dedee6ae77e28f56bf5f65a3581

SHA256
4ac788bc5e8b6e2bb44a70f01b9dd01efcdc6fbe8c8eebf7e5044a9a4d95a957

SHA512
45f35f626a00028f25ea98b215867bf94cc0d38418911e5b40c821cf5337361d521cf8ecc36b87d2de046973a21e332b2fd22cdd1784f957f17a1948ee19696c

Download Submit
C:\backup.exe

Filesize
72KB

MD5
99f083d072db064ac6e912c983ad19a8

SHA1
3cfd6ae8e3186dedee6ae77e28f56bf5f65a3581

SHA256
4ac788bc5e8b6e2bb44a70f01b9dd01efcdc6fbe8c8eebf7e5044a9a4d95a957

SHA512
45f35f626a00028f25ea98b215867bf94cc0d38418911e5b40c821cf5337361d521cf8ecc36b87d2de046973a21e332b2fd22cdd1784f957f17a1948ee19696c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
444afd82576d565f25fa60256f173633

SHA1
0837d58ba0852a68f4f84221fd212cc08429d7df

SHA256
13696ce3c635d9fc3ccf48c51c186917125aa1ad51a8a595a2982d9d93c535ba

SHA512
488b8e94818ad1226c616397f99c184a519d8c30dc110cbb9a2063b7badd2076249df12e42e01dee5b02d436fed3a371ecd473f883eac310f164eb0cfad85445

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
444afd82576d565f25fa60256f173633

SHA1
0837d58ba0852a68f4f84221fd212cc08429d7df

SHA256
13696ce3c635d9fc3ccf48c51c186917125aa1ad51a8a595a2982d9d93c535ba

SHA512
488b8e94818ad1226c616397f99c184a519d8c30dc110cbb9a2063b7badd2076249df12e42e01dee5b02d436fed3a371ecd473f883eac310f164eb0cfad85445

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
c15debe9b2705a3975cb8b1a7fbfb258

SHA1
db68fc613fa4c7838b93519e871326544e0cfb29

SHA256
279f0162b7282dad24163e947b42c38651ca31d815fab47dc087a5a62b6ee9d4

SHA512
ea477d4f5034f4158199e491252eb30b1837c0ece2d217c16d9a8954cc01fe0b6303d56e064ed38116d225abacbae74159a7d5c38b414a006d07b539ba364f09

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
c15debe9b2705a3975cb8b1a7fbfb258

SHA1
db68fc613fa4c7838b93519e871326544e0cfb29

SHA256
279f0162b7282dad24163e947b42c38651ca31d815fab47dc087a5a62b6ee9d4

SHA512
ea477d4f5034f4158199e491252eb30b1837c0ece2d217c16d9a8954cc01fe0b6303d56e064ed38116d225abacbae74159a7d5c38b414a006d07b539ba364f09

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
444afd82576d565f25fa60256f173633

SHA1
0837d58ba0852a68f4f84221fd212cc08429d7df

SHA256
13696ce3c635d9fc3ccf48c51c186917125aa1ad51a8a595a2982d9d93c535ba

SHA512
488b8e94818ad1226c616397f99c184a519d8c30dc110cbb9a2063b7badd2076249df12e42e01dee5b02d436fed3a371ecd473f883eac310f164eb0cfad85445

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
444afd82576d565f25fa60256f173633

SHA1
0837d58ba0852a68f4f84221fd212cc08429d7df

SHA256
13696ce3c635d9fc3ccf48c51c186917125aa1ad51a8a595a2982d9d93c535ba

SHA512
488b8e94818ad1226c616397f99c184a519d8c30dc110cbb9a2063b7badd2076249df12e42e01dee5b02d436fed3a371ecd473f883eac310f164eb0cfad85445

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1420884e8718af2f326c1cd02a40a365

SHA1
9fd8e8a13ac43708f3fe88abe8fe1a96fa48a1d6

SHA256
8bc260b91fa9fa4bf87079cd58ae5e28f461ec41c244b3e3413ed80263c73e29

SHA512
22d539e814af767926b51fa504d1d4ff0038664147a35c11fbe2399657a15d0d9a0c39090584e5f48c5f601a03e25207aa70d6cbbb5878da6d450aaaf05b0740

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
1420884e8718af2f326c1cd02a40a365

SHA1
9fd8e8a13ac43708f3fe88abe8fe1a96fa48a1d6

SHA256
8bc260b91fa9fa4bf87079cd58ae5e28f461ec41c244b3e3413ed80263c73e29

SHA512
22d539e814af767926b51fa504d1d4ff0038664147a35c11fbe2399657a15d0d9a0c39090584e5f48c5f601a03e25207aa70d6cbbb5878da6d450aaaf05b0740

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
694fed1e07f29bb49acddf335476d4c5

SHA1
f761d606c0e219f2cd314bd840e9e617dada1df6

SHA256
e85536f987748f0c95c8e6d88cace9f422ae3eb4e2d27fc61729ba4d39bf3203

SHA512
3345eea14d91b032f0e06f0b69d1510ad424dbfe3dce821ea4de43cc505c5940b8b0a28ca51c36c59cc1ec855b4d9322e2b245e07b1d382003cfb797bb7c5503

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe

Filesize
72KB

MD5
694fed1e07f29bb49acddf335476d4c5

SHA1
f761d606c0e219f2cd314bd840e9e617dada1df6

SHA256
e85536f987748f0c95c8e6d88cace9f422ae3eb4e2d27fc61729ba4d39bf3203

SHA512
3345eea14d91b032f0e06f0b69d1510ad424dbfe3dce821ea4de43cc505c5940b8b0a28ca51c36c59cc1ec855b4d9322e2b245e07b1d382003cfb797bb7c5503

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
694fed1e07f29bb49acddf335476d4c5

SHA1
f761d606c0e219f2cd314bd840e9e617dada1df6

SHA256
e85536f987748f0c95c8e6d88cace9f422ae3eb4e2d27fc61729ba4d39bf3203

SHA512
3345eea14d91b032f0e06f0b69d1510ad424dbfe3dce821ea4de43cc505c5940b8b0a28ca51c36c59cc1ec855b4d9322e2b245e07b1d382003cfb797bb7c5503

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe

Filesize
72KB

MD5
694fed1e07f29bb49acddf335476d4c5

SHA1
f761d606c0e219f2cd314bd840e9e617dada1df6

SHA256
e85536f987748f0c95c8e6d88cace9f422ae3eb4e2d27fc61729ba4d39bf3203

SHA512
3345eea14d91b032f0e06f0b69d1510ad424dbfe3dce821ea4de43cc505c5940b8b0a28ca51c36c59cc1ec855b4d9322e2b245e07b1d382003cfb797bb7c5503

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
0f405cb9ead01c8465077687b6f56a22

SHA1
6477b90c28b8d99b4c55bd911944290da247d7f0

SHA256
c17335ee8192b6a7b85249cd2722237baed8e7fdab06fb0e462c58c040a5bc1e

SHA512
94982f1fdfd8afc7ad168f95302caba541012b7a0d389c2649a7243bd92932660655f6c3fe66e1bf8fdeb6f1597542e1f8814773b5e19896aa285d61c62dfca8

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
0b5fc9d8d921110806c3d38f4e9ad449

SHA1
c6a2123baa6983ab1950702a4dee29b6197c68bd

SHA256
e89a08ef91bdaa7764165a6d9111e5168ab2371ec78f13a1ed8f7d683cbd4904

SHA512
2ee7b699c8355464df3eb0512fdb8f8d41b4258af619d0c73776b3041aea413addf48c6a2e56906375603599bd7e145e9934e4151b38118abd870e37a871252d

Download Submit
\Users\Admin\AppData\Local\Temp\135960365\backup.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\135960365\backup.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\Low\update.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\System Restore.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
edb1dfcb14bbde50b6e626a9367eb6f2

SHA1
ebffbb0a2f7a46a2c1ef511bd0220b340c165b59

SHA256
a1eb25b510a005ab7c4565c7e195374c52a382e15c5f5d0bfd22f78f629293a9

SHA512
c6e930fbc5e829308570e91ef54588802a1226f1950012921cdb4296668a93067c453c16bc695b5975c9080e79921dd23b2e62bf791e45b1627f56a7a79274dc

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
a2b0b26bc1593617251a910ab9f91313

SHA1
2af3034d1af8439287eba2d18f8665c72fd1a2cf

SHA256
45b2a2da581bc154a6a6ae7624ae365edce347fc9c4ec9a36c3085247bb8c9c2

SHA512
bc22c8b036e727959c0ce8ed3b6fa4edd528c6a68896e93ccdb987778e889b60f6577f0bc0a5c5e9630a892e2e1cfbe6d7939faaa5dce593260ae28d1c4637fa

Download Submit
memory/580-72-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-122-0x0000000074571000-0x0000000074573000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads