d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c

Analysis

max time kernel
152s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
Size

72KB
MD5

296c1f7453b119bb4940cdef6e77c296
SHA1

bf0ec930f8d3f1ff5cf3ccd60f5e8a33ed2aed9c
SHA256

d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c
SHA512

b5011ab452935678170385c4ea53ad39336840fd7940a24e83b8cf4b7baf2d88dad29d84316097829c7caaaac2e897960b76976072c0e9e5fc57ae8245bc5517
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd3FAyvK:HeT7BVwxfvqguKRFA/

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exe

pid	process
572	backup.exe
556	backup.exe
568	backup.exe
520	backup.exe
1612	backup.exe
676	backup.exe
1372	backup.exe
1520	backup.exe
1516	backup.exe
112	backup.exe
1960	backup.exe
948	backup.exe
1492	backup.exe
1044	backup.exe
1408	backup.exe
1632	System Restore.exe
1596	backup.exe
1536	backup.exe
1384	backup.exe
320	backup.exe
1624	backup.exe
1144	backup.exe
316	backup.exe
1932	backup.exe
964	backup.exe
2016	update.exe
1548	backup.exe
240	backup.exe
288	backup.exe
1748	backup.exe
768	backup.exe
1372	backup.exe
1308	backup.exe
824	backup.exe
812	backup.exe
1208	backup.exe
1724	backup.exe
1744	backup.exe
1344	backup.exe
1336	backup.exe
1672	backup.exe
900	backup.exe
816	backup.exe
868	backup.exe
1764	backup.exe
1752	backup.exe
620	backup.exe
1816	backup.exe
1144	backup.exe
320	backup.exe
1612	backup.exe
1836	backup.exe
792	backup.exe
1224	backup.exe
1520	backup.exe
988	backup.exe
240	backup.exe
1684	backup.exe
1576	backup.exe
1652	backup.exe
1392	backup.exe
1664	System Restore.exe
1688	backup.exe
1572	backup.exe

Loads dropped DLL 64 IoCs

Processes:

d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exe

pid	process
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
676	backup.exe
676	backup.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
1372	backup.exe
1372	backup.exe
676	backup.exe
676	backup.exe
1960	backup.exe
1960	backup.exe
948	backup.exe
948	backup.exe
1960	backup.exe
1960	backup.exe
1044	backup.exe
1044	backup.exe
1408	backup.exe
1408	backup.exe
1408	backup.exe
1408	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
2016	update.exe
2016	update.exe
2016	update.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
1596	backup.exe
288	backup.exe
288	backup.exe
288	backup.exe
288	backup.exe
288	backup.exe
288	backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe

Drops file in Windows directory 23 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\backup.exe	backup.exe
File opened for modification	C:\Windows\Boot\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\backup.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe

pid process

872 d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exedata.exe

pid	process
872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
572	backup.exe
556	backup.exe
568	backup.exe
520	backup.exe
1612	backup.exe
676	backup.exe
1372	backup.exe
1520	backup.exe
1516	backup.exe
112	backup.exe
1960	backup.exe
948	backup.exe
1492	backup.exe
1044	backup.exe
1408	backup.exe
1632	System Restore.exe
1596	backup.exe
1536	backup.exe
1384	backup.exe
320	backup.exe
1624	backup.exe
1144	backup.exe
316	backup.exe
1932	backup.exe
964	backup.exe
2016	update.exe
1548	backup.exe
240	backup.exe
288	backup.exe
1748	backup.exe
768	backup.exe
1372	backup.exe
1308	backup.exe
824	backup.exe
812	backup.exe
1208	backup.exe
1724	backup.exe
1744	backup.exe
1344	backup.exe
1336	backup.exe
1672	backup.exe
900	backup.exe
868	backup.exe
1764	backup.exe
816	backup.exe
1752	backup.exe
1816	backup.exe
1144	backup.exe
620	backup.exe
320	backup.exe
1612	backup.exe
1836	backup.exe
792	backup.exe
1520	backup.exe
1224	backup.exe
1576	backup.exe
240	backup.exe
988	backup.exe
1684	backup.exe
1652	backup.exe
1392	backup.exe
1664	System Restore.exe
1696	data.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 872 wrote to memory of 572	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 572	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 572	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 572	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 556	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 556	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 556	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 556	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 568	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 568	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 568	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 568	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1612	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1612	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1612	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1612	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 572 wrote to memory of 676	572	backup.exe	backup.exe
PID 572 wrote to memory of 676	572	backup.exe	backup.exe
PID 572 wrote to memory of 676	572	backup.exe	backup.exe
PID 572 wrote to memory of 676	572	backup.exe	backup.exe
PID 676 wrote to memory of 1372	676	backup.exe	backup.exe
PID 676 wrote to memory of 1372	676	backup.exe	backup.exe
PID 676 wrote to memory of 1372	676	backup.exe	backup.exe
PID 676 wrote to memory of 1372	676	backup.exe	backup.exe
PID 872 wrote to memory of 1520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1520	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1516	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1516	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1516	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 872 wrote to memory of 1516	872	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe	backup.exe
PID 1372 wrote to memory of 112	1372	backup.exe	backup.exe
PID 1372 wrote to memory of 112	1372	backup.exe	backup.exe
PID 1372 wrote to memory of 112	1372	backup.exe	backup.exe
PID 1372 wrote to memory of 112	1372	backup.exe	backup.exe
PID 676 wrote to memory of 1960	676	backup.exe	backup.exe
PID 676 wrote to memory of 1960	676	backup.exe	backup.exe
PID 676 wrote to memory of 1960	676	backup.exe	backup.exe
PID 676 wrote to memory of 1960	676	backup.exe	backup.exe
PID 1960 wrote to memory of 948	1960	backup.exe	backup.exe
PID 1960 wrote to memory of 948	1960	backup.exe	backup.exe
PID 1960 wrote to memory of 948	1960	backup.exe	backup.exe
PID 1960 wrote to memory of 948	1960	backup.exe	backup.exe
PID 948 wrote to memory of 1492	948	backup.exe	backup.exe
PID 948 wrote to memory of 1492	948	backup.exe	backup.exe
PID 948 wrote to memory of 1492	948	backup.exe	backup.exe
PID 948 wrote to memory of 1492	948	backup.exe	backup.exe
PID 1960 wrote to memory of 1044	1960	backup.exe	backup.exe
PID 1960 wrote to memory of 1044	1960	backup.exe	backup.exe
PID 1960 wrote to memory of 1044	1960	backup.exe	backup.exe
PID 1960 wrote to memory of 1044	1960	backup.exe	backup.exe
PID 1044 wrote to memory of 1408	1044	backup.exe	backup.exe
PID 1044 wrote to memory of 1408	1044	backup.exe	backup.exe
PID 1044 wrote to memory of 1408	1044	backup.exe	backup.exe
PID 1044 wrote to memory of 1408	1044	backup.exe	backup.exe
PID 1408 wrote to memory of 1632	1408	backup.exe	System Restore.exe
PID 1408 wrote to memory of 1632	1408	backup.exe	System Restore.exe
PID 1408 wrote to memory of 1632	1408	backup.exe	System Restore.exe
PID 1408 wrote to memory of 1632	1408	backup.exe	System Restore.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exeupdate.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exed5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe
"C:\Users\Admin\AppData\Local\Temp\d5ea472cb9e1c832e4a5455bc10b20cf43858d24127396b553d5298e27561c7c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:872
- C:\Users\Admin\AppData\Local\Temp\3246639837\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3246639837\backup.exe C:\Users\Admin\AppData\Local\Temp\3246639837\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:112
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1960
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:948
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:316
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        System policy modification
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        System policy modification
        
        PID:1708
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:304
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2380
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2200
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1392
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:240
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1380
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:532
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1724
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:860
        
        C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        System policy modification
        
        PID:1524
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        System policy modification
        
        PID:920
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1616
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        System policy modification
        
        PID:1740
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:1580
        
        C:\Program Files\Common Files\System\it-IT\data.exe
        
        "C:\Program Files\Common Files\System\it-IT\data.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1488
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1392
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1764
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:988
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:1572
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        System policy modification
        
        PID:1976
      - C:\Program Files\DVD Maker\it-IT\System Restore.exe
        
        "C:\Program Files\DVD Maker\it-IT\System Restore.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        System policy modification
        
        PID:672
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1940
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:860
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:2320
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1836
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        System policy modification
        
        PID:1584
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        
        PID:748
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        System policy modification
        
        PID:1748
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1612
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        System policy modification
        
        PID:1072
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        System policy modification
        
        PID:396
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:1792
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        System policy modification
        
        PID:1640
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:544
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:856
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
      - C:\Program Files\Internet Explorer\en-US\update.exe
        
        "C:\Program Files\Internet Explorer\en-US\update.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1036
      - C:\Program Files\Internet Explorer\es-ES\update.exe
        
        "C:\Program Files\Internet Explorer\es-ES\update.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2168
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1000
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2364
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:900
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1752
      - C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        
        PID:1516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        System policy modification
        
        PID:1420
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        System policy modification
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:316
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2052
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1520
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1580
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\data.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1668
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1700
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:988
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1968
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        System policy modification
        
        PID:892
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:892
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:1800
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2356
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Drops file in Program Files directory
        
        PID:1876
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1044
      - C:\Program Files (x86)\Google\Policies\backup.exe
        
        "C:\Program Files (x86)\Google\Policies\backup.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
      - C:\Program Files (x86)\Google\Temp\update.exe
        
        "C:\Program Files (x86)\Google\Temp\update.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2060
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2396
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1576
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:620
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1256
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1736
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1168
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:920
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1728
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2192
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2348
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
      - C:\Users\Public\Documents\System Restore.exe
        
        "C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\
        6⤵
        System policy modification
        
        PID:824
      - C:\Users\Public\Downloads\System Restore.exe
        
        "C:\Users\Public\Downloads\System Restore.exe" C:\Users\Public\Downloads\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:280
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2308
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1224
    - - C:\Windows\addins\data.exe
        
        C:\Windows\addins\data.exe C:\Windows\addins\
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1696
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1740
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:1416
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:280
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        Drops file in Windows directory
        
        PID:1344
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:1104
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1792
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:1488
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        System policy modification
        
        PID:1988
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2176
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:288
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Drops file in Windows directory
        
        PID:432
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:532
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1652
        
        C:\Windows\assembly\GAC\Extensibility\update.exe
        
        C:\Windows\assembly\GAC\Extensibility\update.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2068
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:2160
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1740
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2372
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:556
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:568
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:520
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ee41889520952054789095c8690ff6ba

SHA1
5a2156c13028d76a3cde0dd1b13419359fc45f0d

SHA256
290afae70f5bc4939e81d59d798ee00062307300c6dfa03c4f2e49af8d1872a0

SHA512
6454ea202e89a953cfc9f0599c263bf7eda9191785c66eefaab0c09433a692558a27a76584ce3628e6bd0e45d9250048509da17045e2e9f247411a7843c9d71c

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
fe538de88cf7e174fb4c2550b8cf16ef

SHA1
5a1bdd44e5499ed546d131c7b0873ea7343cfd43

SHA256
d3217b99e4328cb046c527700460557d9ca2df6039fca0146ef8098dd0726c07

SHA512
21b6db41eb8af3241e9ff266928298be882f7904807f1b5ae0784f8244213cbd2ca4c9e90522f661d4721676690dae3cd5b96bd76c616538878830bfd4f2745b

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
fe538de88cf7e174fb4c2550b8cf16ef

SHA1
5a1bdd44e5499ed546d131c7b0873ea7343cfd43

SHA256
d3217b99e4328cb046c527700460557d9ca2df6039fca0146ef8098dd0726c07

SHA512
21b6db41eb8af3241e9ff266928298be882f7904807f1b5ae0784f8244213cbd2ca4c9e90522f661d4721676690dae3cd5b96bd76c616538878830bfd4f2745b

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a19d30586c210a9e834df702e0118d19

SHA1
79ec5d025ff5f25a385bac7027e065b170ac5283

SHA256
bb77491e092a35268fe2366c1988c17da324ba266a54f8dbeaf27f01b9fb44d3

SHA512
ef006b63e050220dbc524c553e538e8085eeb6fc2c173bc7763d283c6691a312955a27dbd8a7083cc79db320539a587c78054613ad5b0874ab0c925000880a7a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
01bbb462e8e7798a1955fe092d78d7fd

SHA1
82ccd87483a709128db36e6c46f6c5656d730b91

SHA256
70675e175b08ce83134a58a27481ba100612595c52dc6935116d1253f890845f

SHA512
b0a04cf96a9f1093cb045212306b1aa8355a9c9d2396e07dcdbf6ba84a1ec74c3b7446fd754afb62d520ae6ce1ab96f822dc18192b182e84a1c7b8da47bf511f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
01bbb462e8e7798a1955fe092d78d7fd

SHA1
82ccd87483a709128db36e6c46f6c5656d730b91

SHA256
70675e175b08ce83134a58a27481ba100612595c52dc6935116d1253f890845f

SHA512
b0a04cf96a9f1093cb045212306b1aa8355a9c9d2396e07dcdbf6ba84a1ec74c3b7446fd754afb62d520ae6ce1ab96f822dc18192b182e84a1c7b8da47bf511f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
72KB

MD5
5897abe147942291d6ea113bfcb4e343

SHA1
6bb3b95f48463d109a06cad1fff69f37a1dd48ef

SHA256
ee649a8ee2a6d2cbff1b328f4101deb602fecc334fe069ece12145a880089f0c

SHA512
efd26b80e8579d876e3b263fa973d4805fab978892db5642db2977b7384c8c2ffbd9f3de4d4964e1131391bdaa7610b8e6ae7c9c10235bc6b55d732199b78ecc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
46960c1db6f18c7f46b8ddbe569cf875

SHA1
1e1351fa41ae4a8696f870d0e9c708af8ae85de2

SHA256
3f5867e487052f1d6718df349ff00d1bd9b8991b0d8104149523511602e24424

SHA512
941f5744659dce4cbc378db7453e1c8574e8255fdf37a3eec15fd6210d8930cc1de1b207792e71d6500cf4160eead663c8626306019c788af28293609477d22f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
46960c1db6f18c7f46b8ddbe569cf875

SHA1
1e1351fa41ae4a8696f870d0e9c708af8ae85de2

SHA256
3f5867e487052f1d6718df349ff00d1bd9b8991b0d8104149523511602e24424

SHA512
941f5744659dce4cbc378db7453e1c8574e8255fdf37a3eec15fd6210d8930cc1de1b207792e71d6500cf4160eead663c8626306019c788af28293609477d22f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f690872d86531fba424ae418647cbcf9

SHA1
184c0e19317386f3c55f7c23382a36c0c49a6f18

SHA256
080311aefd53faceca503788f333caa99021a755484d05c1dbf5959b770d6831

SHA512
dbe021b55eb3b41aaa7a55f0a44062f99c4756e445fc6d0be6bb434ee2fcb41279a6a69e8c9b1ab5b51cf38cac29383708577a2744f5b2eea9d0ee25c4cca348

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
5897abe147942291d6ea113bfcb4e343

SHA1
6bb3b95f48463d109a06cad1fff69f37a1dd48ef

SHA256
ee649a8ee2a6d2cbff1b328f4101deb602fecc334fe069ece12145a880089f0c

SHA512
efd26b80e8579d876e3b263fa973d4805fab978892db5642db2977b7384c8c2ffbd9f3de4d4964e1131391bdaa7610b8e6ae7c9c10235bc6b55d732199b78ecc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
5897abe147942291d6ea113bfcb4e343

SHA1
6bb3b95f48463d109a06cad1fff69f37a1dd48ef

SHA256
ee649a8ee2a6d2cbff1b328f4101deb602fecc334fe069ece12145a880089f0c

SHA512
efd26b80e8579d876e3b263fa973d4805fab978892db5642db2977b7384c8c2ffbd9f3de4d4964e1131391bdaa7610b8e6ae7c9c10235bc6b55d732199b78ecc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7b57a3ab7b7a24070006aaf2b8f26ae9

SHA1
dad1d986e09b674104ce3516241d5fc4bd85397d

SHA256
2780358bb9ec1ea7a4467419cde85da3833b29ce782f8eca45583d3cb4f145fc

SHA512
fe263ba8e349b6f79b344e0dd0208cf09ddfcfa6fd15e45d1bee572566e33825eb8d0b7247b573f44a61efebb1494e9146cba2f6a5721abc64d2801d44e7400b

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4302ae0d0bf0eeca4e04b92aeebaa

SHA1
fc6532583cfb62287aa9506a425108f766068fba

SHA256
4c782d099c9a0ace8aeb2594d6ec65ea2c49a3e7077d425f8040141edfe578a8

SHA512
d76fe9a4880fff8c6bf6125eddf0da739ff9fa99ad217e2de1ed025dac02de75b8a296ce9f9e31d945f53e519a0b77894beb1d4d12a234e2a413e2c08bd43e00

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4302ae0d0bf0eeca4e04b92aeebaa

SHA1
fc6532583cfb62287aa9506a425108f766068fba

SHA256
4c782d099c9a0ace8aeb2594d6ec65ea2c49a3e7077d425f8040141edfe578a8

SHA512
d76fe9a4880fff8c6bf6125eddf0da739ff9fa99ad217e2de1ed025dac02de75b8a296ce9f9e31d945f53e519a0b77894beb1d4d12a234e2a413e2c08bd43e00

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
dcb342bacfc6d9ae2d073c6bae768e53

SHA1
856e32257c294d8f764c7fc735ce8d7426c8824c

SHA256
f6d0243157206ccb7c44f489ca3533e4221b1a147456ed8c4c8f20d9901eab8f

SHA512
9662d9b72230ea22e38ce79379f5e00178ab4d73dc489b3778c768f0126b4e5cbe3fb2391607b3d9b130967a1f9dc8b1544a2f63b1b50871569e4c181358994c

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
dcb342bacfc6d9ae2d073c6bae768e53

SHA1
856e32257c294d8f764c7fc735ce8d7426c8824c

SHA256
f6d0243157206ccb7c44f489ca3533e4221b1a147456ed8c4c8f20d9901eab8f

SHA512
9662d9b72230ea22e38ce79379f5e00178ab4d73dc489b3778c768f0126b4e5cbe3fb2391607b3d9b130967a1f9dc8b1544a2f63b1b50871569e4c181358994c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3246639837\backup.exe

Filesize
72KB

MD5
3921ae7de869ecac6d66a0f05abab399

SHA1
f85079fe1d89432ef9c3a6f3f61db30e68be1e35

SHA256
5e822f6781d499da1ae2ecb480ad67996b97a0be644571dc547357b8942b71f3

SHA512
286b73ef53bc0a63e2c11637524818cb2c0c75cd5d44f301e27c9a5d94d045a8d147809015a3077b8bcf65c327b8921e4c9679934dc5a1a41b72b9eb76850966

Download Submit
C:\Users\Admin\AppData\Local\Temp\3246639837\backup.exe

Filesize
72KB

MD5
3921ae7de869ecac6d66a0f05abab399

SHA1
f85079fe1d89432ef9c3a6f3f61db30e68be1e35

SHA256
5e822f6781d499da1ae2ecb480ad67996b97a0be644571dc547357b8942b71f3

SHA512
286b73ef53bc0a63e2c11637524818cb2c0c75cd5d44f301e27c9a5d94d045a8d147809015a3077b8bcf65c327b8921e4c9679934dc5a1a41b72b9eb76850966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ded89fe719df304a8d8028c88ca54875

SHA1
69c179db44f2a7599f9d04d2351f6be1cbbd5b89

SHA256
b0309c3018fb9e11ceca36d31fd421e88844796c27ecef3eb1a38c629f678068

SHA512
df35d99c66c4943e8d0c391511fb8326accae9f30098067c0e064d71a513e9cfc725a0462dce7af314ff37883fa6cae00a37176e52cf2f02812b9d867224cffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c4b466f7227b45a90f8f4a9dd3b94125

SHA1
c3bd88709b99da05d80f93c6603ece1052fbf840

SHA256
335a917a27946534c261842984c37f8ec5576b1ac0c3d9cc728aca68c82e1d6f

SHA512
87990dd7a67896bcb59a89d9bfb66bfbd42ea073ddced3f49e70aa71e8a480f96e5d7652e6e25f8d57eeb001a71432863923adca1faf84f7b799710ff31990a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
776f3ff429234accb6601bce1888da1b

SHA1
c373f704d165748ce755e58a83c2bf5832c920a7

SHA256
f022c5aa3b239838fa1262bf2f58ade91948a21cf1f6837a412bd7243c45b2f2

SHA512
a15b544f6d7c65cbd29b2bf4daaa1441bed2b00dc9bd77e7428ee1e35efa44ebf86dc2ef6502ff4bef303a0101b181fc46acaef6c4e8afd3ae346317502fd6fa

Download Submit
C:\backup.exe

Filesize
72KB

MD5
63e39962835a89e67bb179d1ae45ebdc

SHA1
66c5a84c82e451f2576a3caa92f2c3a7d1be0fb0

SHA256
d7a9e5f253b6de4d7395ba657afea39af9b03506fa4e84b77c134c2daa781ced

SHA512
a18f236c205014a8f1d1f5813cf29517804703e783be0ae3facea5bddcbcf38ab548e26edb4f3e9f58af68ca1b5c593525caa8db312713727e8005b140840bf2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
63e39962835a89e67bb179d1ae45ebdc

SHA1
66c5a84c82e451f2576a3caa92f2c3a7d1be0fb0

SHA256
d7a9e5f253b6de4d7395ba657afea39af9b03506fa4e84b77c134c2daa781ced

SHA512
a18f236c205014a8f1d1f5813cf29517804703e783be0ae3facea5bddcbcf38ab548e26edb4f3e9f58af68ca1b5c593525caa8db312713727e8005b140840bf2

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ee41889520952054789095c8690ff6ba

SHA1
5a2156c13028d76a3cde0dd1b13419359fc45f0d

SHA256
290afae70f5bc4939e81d59d798ee00062307300c6dfa03c4f2e49af8d1872a0

SHA512
6454ea202e89a953cfc9f0599c263bf7eda9191785c66eefaab0c09433a692558a27a76584ce3628e6bd0e45d9250048509da17045e2e9f247411a7843c9d71c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
ee41889520952054789095c8690ff6ba

SHA1
5a2156c13028d76a3cde0dd1b13419359fc45f0d

SHA256
290afae70f5bc4939e81d59d798ee00062307300c6dfa03c4f2e49af8d1872a0

SHA512
6454ea202e89a953cfc9f0599c263bf7eda9191785c66eefaab0c09433a692558a27a76584ce3628e6bd0e45d9250048509da17045e2e9f247411a7843c9d71c

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
fe538de88cf7e174fb4c2550b8cf16ef

SHA1
5a1bdd44e5499ed546d131c7b0873ea7343cfd43

SHA256
d3217b99e4328cb046c527700460557d9ca2df6039fca0146ef8098dd0726c07

SHA512
21b6db41eb8af3241e9ff266928298be882f7904807f1b5ae0784f8244213cbd2ca4c9e90522f661d4721676690dae3cd5b96bd76c616538878830bfd4f2745b

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
fe538de88cf7e174fb4c2550b8cf16ef

SHA1
5a1bdd44e5499ed546d131c7b0873ea7343cfd43

SHA256
d3217b99e4328cb046c527700460557d9ca2df6039fca0146ef8098dd0726c07

SHA512
21b6db41eb8af3241e9ff266928298be882f7904807f1b5ae0784f8244213cbd2ca4c9e90522f661d4721676690dae3cd5b96bd76c616538878830bfd4f2745b

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a19d30586c210a9e834df702e0118d19

SHA1
79ec5d025ff5f25a385bac7027e065b170ac5283

SHA256
bb77491e092a35268fe2366c1988c17da324ba266a54f8dbeaf27f01b9fb44d3

SHA512
ef006b63e050220dbc524c553e538e8085eeb6fc2c173bc7763d283c6691a312955a27dbd8a7083cc79db320539a587c78054613ad5b0874ab0c925000880a7a

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
a19d30586c210a9e834df702e0118d19

SHA1
79ec5d025ff5f25a385bac7027e065b170ac5283

SHA256
bb77491e092a35268fe2366c1988c17da324ba266a54f8dbeaf27f01b9fb44d3

SHA512
ef006b63e050220dbc524c553e538e8085eeb6fc2c173bc7763d283c6691a312955a27dbd8a7083cc79db320539a587c78054613ad5b0874ab0c925000880a7a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
01bbb462e8e7798a1955fe092d78d7fd

SHA1
82ccd87483a709128db36e6c46f6c5656d730b91

SHA256
70675e175b08ce83134a58a27481ba100612595c52dc6935116d1253f890845f

SHA512
b0a04cf96a9f1093cb045212306b1aa8355a9c9d2396e07dcdbf6ba84a1ec74c3b7446fd754afb62d520ae6ce1ab96f822dc18192b182e84a1c7b8da47bf511f

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
01bbb462e8e7798a1955fe092d78d7fd

SHA1
82ccd87483a709128db36e6c46f6c5656d730b91

SHA256
70675e175b08ce83134a58a27481ba100612595c52dc6935116d1253f890845f

SHA512
b0a04cf96a9f1093cb045212306b1aa8355a9c9d2396e07dcdbf6ba84a1ec74c3b7446fd754afb62d520ae6ce1ab96f822dc18192b182e84a1c7b8da47bf511f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
72KB

MD5
5897abe147942291d6ea113bfcb4e343

SHA1
6bb3b95f48463d109a06cad1fff69f37a1dd48ef

SHA256
ee649a8ee2a6d2cbff1b328f4101deb602fecc334fe069ece12145a880089f0c

SHA512
efd26b80e8579d876e3b263fa973d4805fab978892db5642db2977b7384c8c2ffbd9f3de4d4964e1131391bdaa7610b8e6ae7c9c10235bc6b55d732199b78ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
72KB

MD5
5897abe147942291d6ea113bfcb4e343

SHA1
6bb3b95f48463d109a06cad1fff69f37a1dd48ef

SHA256
ee649a8ee2a6d2cbff1b328f4101deb602fecc334fe069ece12145a880089f0c

SHA512
efd26b80e8579d876e3b263fa973d4805fab978892db5642db2977b7384c8c2ffbd9f3de4d4964e1131391bdaa7610b8e6ae7c9c10235bc6b55d732199b78ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
46960c1db6f18c7f46b8ddbe569cf875

SHA1
1e1351fa41ae4a8696f870d0e9c708af8ae85de2

SHA256
3f5867e487052f1d6718df349ff00d1bd9b8991b0d8104149523511602e24424

SHA512
941f5744659dce4cbc378db7453e1c8574e8255fdf37a3eec15fd6210d8930cc1de1b207792e71d6500cf4160eead663c8626306019c788af28293609477d22f

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
46960c1db6f18c7f46b8ddbe569cf875

SHA1
1e1351fa41ae4a8696f870d0e9c708af8ae85de2

SHA256
3f5867e487052f1d6718df349ff00d1bd9b8991b0d8104149523511602e24424

SHA512
941f5744659dce4cbc378db7453e1c8574e8255fdf37a3eec15fd6210d8930cc1de1b207792e71d6500cf4160eead663c8626306019c788af28293609477d22f

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f690872d86531fba424ae418647cbcf9

SHA1
184c0e19317386f3c55f7c23382a36c0c49a6f18

SHA256
080311aefd53faceca503788f333caa99021a755484d05c1dbf5959b770d6831

SHA512
dbe021b55eb3b41aaa7a55f0a44062f99c4756e445fc6d0be6bb434ee2fcb41279a6a69e8c9b1ab5b51cf38cac29383708577a2744f5b2eea9d0ee25c4cca348

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f690872d86531fba424ae418647cbcf9

SHA1
184c0e19317386f3c55f7c23382a36c0c49a6f18

SHA256
080311aefd53faceca503788f333caa99021a755484d05c1dbf5959b770d6831

SHA512
dbe021b55eb3b41aaa7a55f0a44062f99c4756e445fc6d0be6bb434ee2fcb41279a6a69e8c9b1ab5b51cf38cac29383708577a2744f5b2eea9d0ee25c4cca348

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
5897abe147942291d6ea113bfcb4e343

SHA1
6bb3b95f48463d109a06cad1fff69f37a1dd48ef

SHA256
ee649a8ee2a6d2cbff1b328f4101deb602fecc334fe069ece12145a880089f0c

SHA512
efd26b80e8579d876e3b263fa973d4805fab978892db5642db2977b7384c8c2ffbd9f3de4d4964e1131391bdaa7610b8e6ae7c9c10235bc6b55d732199b78ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
5897abe147942291d6ea113bfcb4e343

SHA1
6bb3b95f48463d109a06cad1fff69f37a1dd48ef

SHA256
ee649a8ee2a6d2cbff1b328f4101deb602fecc334fe069ece12145a880089f0c

SHA512
efd26b80e8579d876e3b263fa973d4805fab978892db5642db2977b7384c8c2ffbd9f3de4d4964e1131391bdaa7610b8e6ae7c9c10235bc6b55d732199b78ecc

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7b57a3ab7b7a24070006aaf2b8f26ae9

SHA1
dad1d986e09b674104ce3516241d5fc4bd85397d

SHA256
2780358bb9ec1ea7a4467419cde85da3833b29ce782f8eca45583d3cb4f145fc

SHA512
fe263ba8e349b6f79b344e0dd0208cf09ddfcfa6fd15e45d1bee572566e33825eb8d0b7247b573f44a61efebb1494e9146cba2f6a5721abc64d2801d44e7400b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
7b57a3ab7b7a24070006aaf2b8f26ae9

SHA1
dad1d986e09b674104ce3516241d5fc4bd85397d

SHA256
2780358bb9ec1ea7a4467419cde85da3833b29ce782f8eca45583d3cb4f145fc

SHA512
fe263ba8e349b6f79b344e0dd0208cf09ddfcfa6fd15e45d1bee572566e33825eb8d0b7247b573f44a61efebb1494e9146cba2f6a5721abc64d2801d44e7400b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
7b57a3ab7b7a24070006aaf2b8f26ae9

SHA1
dad1d986e09b674104ce3516241d5fc4bd85397d

SHA256
2780358bb9ec1ea7a4467419cde85da3833b29ce782f8eca45583d3cb4f145fc

SHA512
fe263ba8e349b6f79b344e0dd0208cf09ddfcfa6fd15e45d1bee572566e33825eb8d0b7247b573f44a61efebb1494e9146cba2f6a5721abc64d2801d44e7400b

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4302ae0d0bf0eeca4e04b92aeebaa

SHA1
fc6532583cfb62287aa9506a425108f766068fba

SHA256
4c782d099c9a0ace8aeb2594d6ec65ea2c49a3e7077d425f8040141edfe578a8

SHA512
d76fe9a4880fff8c6bf6125eddf0da739ff9fa99ad217e2de1ed025dac02de75b8a296ce9f9e31d945f53e519a0b77894beb1d4d12a234e2a413e2c08bd43e00

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
41b4302ae0d0bf0eeca4e04b92aeebaa

SHA1
fc6532583cfb62287aa9506a425108f766068fba

SHA256
4c782d099c9a0ace8aeb2594d6ec65ea2c49a3e7077d425f8040141edfe578a8

SHA512
d76fe9a4880fff8c6bf6125eddf0da739ff9fa99ad217e2de1ed025dac02de75b8a296ce9f9e31d945f53e519a0b77894beb1d4d12a234e2a413e2c08bd43e00

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
dcb342bacfc6d9ae2d073c6bae768e53

SHA1
856e32257c294d8f764c7fc735ce8d7426c8824c

SHA256
f6d0243157206ccb7c44f489ca3533e4221b1a147456ed8c4c8f20d9901eab8f

SHA512
9662d9b72230ea22e38ce79379f5e00178ab4d73dc489b3778c768f0126b4e5cbe3fb2391607b3d9b130967a1f9dc8b1544a2f63b1b50871569e4c181358994c

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
dcb342bacfc6d9ae2d073c6bae768e53

SHA1
856e32257c294d8f764c7fc735ce8d7426c8824c

SHA256
f6d0243157206ccb7c44f489ca3533e4221b1a147456ed8c4c8f20d9901eab8f

SHA512
9662d9b72230ea22e38ce79379f5e00178ab4d73dc489b3778c768f0126b4e5cbe3fb2391607b3d9b130967a1f9dc8b1544a2f63b1b50871569e4c181358994c

Download Submit
\Users\Admin\AppData\Local\Temp\3246639837\backup.exe

Filesize
72KB

MD5
3921ae7de869ecac6d66a0f05abab399

SHA1
f85079fe1d89432ef9c3a6f3f61db30e68be1e35

SHA256
5e822f6781d499da1ae2ecb480ad67996b97a0be644571dc547357b8942b71f3

SHA512
286b73ef53bc0a63e2c11637524818cb2c0c75cd5d44f301e27c9a5d94d045a8d147809015a3077b8bcf65c327b8921e4c9679934dc5a1a41b72b9eb76850966

Download Submit
\Users\Admin\AppData\Local\Temp\3246639837\backup.exe

Filesize
72KB

MD5
3921ae7de869ecac6d66a0f05abab399

SHA1
f85079fe1d89432ef9c3a6f3f61db30e68be1e35

SHA256
5e822f6781d499da1ae2ecb480ad67996b97a0be644571dc547357b8942b71f3

SHA512
286b73ef53bc0a63e2c11637524818cb2c0c75cd5d44f301e27c9a5d94d045a8d147809015a3077b8bcf65c327b8921e4c9679934dc5a1a41b72b9eb76850966

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ded89fe719df304a8d8028c88ca54875

SHA1
69c179db44f2a7599f9d04d2351f6be1cbbd5b89

SHA256
b0309c3018fb9e11ceca36d31fd421e88844796c27ecef3eb1a38c629f678068

SHA512
df35d99c66c4943e8d0c391511fb8326accae9f30098067c0e064d71a513e9cfc725a0462dce7af314ff37883fa6cae00a37176e52cf2f02812b9d867224cffa

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ded89fe719df304a8d8028c88ca54875

SHA1
69c179db44f2a7599f9d04d2351f6be1cbbd5b89

SHA256
b0309c3018fb9e11ceca36d31fd421e88844796c27ecef3eb1a38c629f678068

SHA512
df35d99c66c4943e8d0c391511fb8326accae9f30098067c0e064d71a513e9cfc725a0462dce7af314ff37883fa6cae00a37176e52cf2f02812b9d867224cffa

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c4b466f7227b45a90f8f4a9dd3b94125

SHA1
c3bd88709b99da05d80f93c6603ece1052fbf840

SHA256
335a917a27946534c261842984c37f8ec5576b1ac0c3d9cc728aca68c82e1d6f

SHA512
87990dd7a67896bcb59a89d9bfb66bfbd42ea073ddced3f49e70aa71e8a480f96e5d7652e6e25f8d57eeb001a71432863923adca1faf84f7b799710ff31990a6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
c4b466f7227b45a90f8f4a9dd3b94125

SHA1
c3bd88709b99da05d80f93c6603ece1052fbf840

SHA256
335a917a27946534c261842984c37f8ec5576b1ac0c3d9cc728aca68c82e1d6f

SHA512
87990dd7a67896bcb59a89d9bfb66bfbd42ea073ddced3f49e70aa71e8a480f96e5d7652e6e25f8d57eeb001a71432863923adca1faf84f7b799710ff31990a6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
255fe8040599a13fd2fa40db3d7bc311

SHA1
9c75b1a6bddf3650c6fb3f332bee7db344c8bb28

SHA256
2dd3d5b3cf03e43df1499585867ca38e4f825acb90b6aed7adffa2207f813fde

SHA512
9c72595b9ce297777fa3496912ef84c0f4a67b2ba24142a010d9b46e70dcfd8c3ebb70c72b2a8d881f77886f80f6ee738c3767348e1d327c8a6ded13bfabfc2c

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
776f3ff429234accb6601bce1888da1b

SHA1
c373f704d165748ce755e58a83c2bf5832c920a7

SHA256
f022c5aa3b239838fa1262bf2f58ade91948a21cf1f6837a412bd7243c45b2f2

SHA512
a15b544f6d7c65cbd29b2bf4daaa1441bed2b00dc9bd77e7428ee1e35efa44ebf86dc2ef6502ff4bef303a0101b181fc46acaef6c4e8afd3ae346317502fd6fa

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
776f3ff429234accb6601bce1888da1b

SHA1
c373f704d165748ce755e58a83c2bf5832c920a7

SHA256
f022c5aa3b239838fa1262bf2f58ade91948a21cf1f6837a412bd7243c45b2f2

SHA512
a15b544f6d7c65cbd29b2bf4daaa1441bed2b00dc9bd77e7428ee1e35efa44ebf86dc2ef6502ff4bef303a0101b181fc46acaef6c4e8afd3ae346317502fd6fa

Download Submit
memory/112-111-0x0000000000000000-mapping.dmp

Download
memory/240-204-0x0000000000000000-mapping.dmp

Download
memory/240-283-0x0000000000000000-mapping.dmp

Download
memory/288-207-0x0000000000000000-mapping.dmp

Download
memory/316-187-0x0000000000000000-mapping.dmp

Download
memory/320-262-0x0000000000000000-mapping.dmp

Download
memory/320-178-0x0000000000000000-mapping.dmp

Download
memory/520-76-0x0000000000000000-mapping.dmp

Download
memory/556-64-0x0000000000000000-mapping.dmp

Download
memory/568-70-0x0000000000000000-mapping.dmp

Download
memory/572-58-0x0000000000000000-mapping.dmp

Download
memory/620-259-0x0000000000000000-mapping.dmp

Download
memory/676-85-0x0000000000000000-mapping.dmp

Download
memory/768-213-0x0000000000000000-mapping.dmp

Download
memory/792-275-0x0000000000000000-mapping.dmp

Download
memory/812-225-0x0000000000000000-mapping.dmp

Download
memory/816-249-0x0000000000000000-mapping.dmp

Download
memory/824-222-0x0000000000000000-mapping.dmp

Download
memory/868-250-0x0000000000000000-mapping.dmp

Download
memory/872-117-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/872-188-0x00000000741C1000-0x00000000741C3000-memory.dmp

Filesize
8KB

Download
memory/900-246-0x0000000000000000-mapping.dmp

Download
memory/948-127-0x0000000000000000-mapping.dmp

Download
memory/964-194-0x0000000000000000-mapping.dmp

Download
memory/988-285-0x0000000000000000-mapping.dmp

Download
memory/1044-140-0x0000000000000000-mapping.dmp

Download
memory/1144-184-0x0000000000000000-mapping.dmp

Download
memory/1144-261-0x0000000000000000-mapping.dmp

Download
memory/1208-228-0x0000000000000000-mapping.dmp

Download
memory/1224-282-0x0000000000000000-mapping.dmp

Download
memory/1308-219-0x0000000000000000-mapping.dmp

Download
memory/1336-240-0x0000000000000000-mapping.dmp

Download
memory/1344-237-0x0000000000000000-mapping.dmp

Download
memory/1372-216-0x0000000000000000-mapping.dmp

Download
memory/1372-94-0x0000000000000000-mapping.dmp

Download
memory/1380-309-0x0000000000000000-mapping.dmp

Download
memory/1384-173-0x0000000000000000-mapping.dmp

Download
memory/1392-297-0x0000000000000000-mapping.dmp

Download
memory/1408-147-0x0000000000000000-mapping.dmp

Download
memory/1492-134-0x0000000000000000-mapping.dmp

Download
memory/1516-107-0x0000000000000000-mapping.dmp

Download
memory/1520-284-0x0000000000000000-mapping.dmp

Download
memory/1520-100-0x0000000000000000-mapping.dmp

Download
memory/1536-167-0x0000000000000000-mapping.dmp

Download
memory/1548-201-0x0000000000000000-mapping.dmp

Download
memory/1576-291-0x0000000000000000-mapping.dmp

Download
memory/1596-160-0x0000000000000000-mapping.dmp

Download
memory/1612-83-0x0000000000000000-mapping.dmp

Download
memory/1612-273-0x0000000000000000-mapping.dmp

Download
memory/1624-181-0x0000000000000000-mapping.dmp

Download
memory/1632-154-0x0000000000000000-mapping.dmp

Download
memory/1652-293-0x0000000000000000-mapping.dmp

Download
memory/1664-302-0x0000000000000000-mapping.dmp

Download
memory/1672-243-0x0000000000000000-mapping.dmp

Download
memory/1684-292-0x0000000000000000-mapping.dmp

Download
memory/1688-310-0x0000000000000000-mapping.dmp

Download
memory/1724-231-0x0000000000000000-mapping.dmp

Download
memory/1744-234-0x0000000000000000-mapping.dmp

Download
memory/1748-210-0x0000000000000000-mapping.dmp

Download
memory/1752-258-0x0000000000000000-mapping.dmp

Download
memory/1764-251-0x0000000000000000-mapping.dmp

Download
memory/1816-260-0x0000000000000000-mapping.dmp

Download
memory/1836-274-0x0000000000000000-mapping.dmp

Download
memory/1932-191-0x0000000000000000-mapping.dmp

Download
memory/1960-120-0x0000000000000000-mapping.dmp

Download
memory/2016-197-0x0000000000000000-mapping.dmp

Download