9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
Size

72KB
MD5

01a4cf938041e738525d52b6c8af42cd
SHA1

ba61ba3c2465080f65aa63a1a675a46e5d369a14
SHA256

9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd
SHA512

a5c8e492a9424feba1e359a841caeb4db37aeabfe8a3eee77ecf9259dbec7a171772f27d2ad31bebaa9440a28a15596609c749caf76978d48ed6659b9182bbbe
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRrCtk:teThavEjDWguKCtk

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

backup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exe9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeSystem Restore.exeupdate.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exedata.exebackup.exebackup.exebackup.exe

pid	process
844	backup.exe
1272	backup.exe
516	backup.exe
1164	backup.exe
1492	backup.exe
1012	backup.exe
272	backup.exe
1452	backup.exe
364	backup.exe
1976	backup.exe
1944	backup.exe
556	backup.exe
276	backup.exe
1888	backup.exe
1384	backup.exe
864	backup.exe
584	backup.exe
576	backup.exe
1688	backup.exe
1436	backup.exe
1508	backup.exe
1648	backup.exe
1588	backup.exe
1036	backup.exe
924	backup.exe
392	backup.exe
432	backup.exe
764	backup.exe
1152	update.exe
364	backup.exe
1044	backup.exe
1964	backup.exe
548	backup.exe
556	backup.exe
2028	backup.exe
948	backup.exe
1656	backup.exe
572	backup.exe
1268	backup.exe
1272	data.exe
576	backup.exe
1872	backup.exe
1772	backup.exe
1516	backup.exe
832	backup.exe
1536	backup.exe
1556	backup.exe
1732	backup.exe
1880	backup.exe
1532	data.exe
1996	backup.exe
1808	backup.exe
2008	backup.exe
1788	backup.exe
1044	backup.exe
1400	backup.exe
1392	backup.exe
1672	backup.exe
556	backup.exe
1256	update.exe
1332	data.exe
1576	backup.exe
560	backup.exe
1152	backup.exe

Loads dropped DLL 64 IoCs

Processes:

9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exe

pid	process
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
1452	backup.exe
1452	backup.exe
364	backup.exe
364	backup.exe
1452	backup.exe
1452	backup.exe
1944	backup.exe
1944	backup.exe
556	backup.exe
556	backup.exe
1944	backup.exe
1944	backup.exe
1888	backup.exe
1888	backup.exe
1384	backup.exe
1384	backup.exe
1384	backup.exe
1384	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
584	backup.exe
1152	update.exe
1152	update.exe
1152	update.exe
1152	update.exe
1152	update.exe
364	backup.exe
364	backup.exe
364	backup.exe
1152	update.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exeupdate.exebackup.exeSystem Restore.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Mozilla Firefox\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

Processes:

backup.exe

description ioc process

File opened for modification C:\Windows\backup.exe backup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe

pid process

336 9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe

description	ioc	process
File opened for modification	C:\Windows\backup.exe	backup.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exedata.exebackup.exebackup.exe

pid	process
336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
844	backup.exe
1272	backup.exe
516	backup.exe
1164	backup.exe
1492	backup.exe
1012	backup.exe
272	backup.exe
1452	backup.exe
364	backup.exe
1976	backup.exe
1944	backup.exe
556	backup.exe
276	backup.exe
1888	backup.exe
1384	backup.exe
864	backup.exe
584	backup.exe
576	backup.exe
1688	backup.exe
1436	backup.exe
1508	backup.exe
1648	backup.exe
1588	backup.exe
1036	backup.exe
924	backup.exe
392	backup.exe
432	backup.exe
764	backup.exe
1152	update.exe
364	backup.exe
1044	backup.exe
1964	backup.exe
548	backup.exe
556	backup.exe
2028	backup.exe
948	backup.exe
1656	backup.exe
572	backup.exe
1268	backup.exe
1272	data.exe
576	backup.exe
1872	backup.exe
1772	backup.exe
1516	backup.exe
832	backup.exe
1536	backup.exe
1556	backup.exe
1732	backup.exe
1880	backup.exe
1532	data.exe
1996	backup.exe
1808	backup.exe
2008	backup.exe
1788	backup.exe
1044	backup.exe
1400	backup.exe
1392	backup.exe
1672	backup.exe
556	backup.exe
1256	update.exe
1332	data.exe
1576	backup.exe
560	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 336 wrote to memory of 844	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 844	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 844	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 844	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 516	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 516	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 516	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 516	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1164	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1164	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1164	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1164	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1492	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1492	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1492	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1492	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1012	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1012	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1012	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 1012	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 336 wrote to memory of 272	336	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe	backup.exe
PID 844 wrote to memory of 1452	844	backup.exe	backup.exe
PID 844 wrote to memory of 1452	844	backup.exe	backup.exe
PID 844 wrote to memory of 1452	844	backup.exe	backup.exe
PID 844 wrote to memory of 1452	844	backup.exe	backup.exe
PID 1452 wrote to memory of 364	1452	backup.exe	backup.exe
PID 1452 wrote to memory of 364	1452	backup.exe	backup.exe
PID 1452 wrote to memory of 364	1452	backup.exe	backup.exe
PID 1452 wrote to memory of 364	1452	backup.exe	backup.exe
PID 364 wrote to memory of 1976	364	backup.exe	backup.exe
PID 364 wrote to memory of 1976	364	backup.exe	backup.exe
PID 364 wrote to memory of 1976	364	backup.exe	backup.exe
PID 364 wrote to memory of 1976	364	backup.exe	backup.exe
PID 1452 wrote to memory of 1944	1452	backup.exe	backup.exe
PID 1452 wrote to memory of 1944	1452	backup.exe	backup.exe
PID 1452 wrote to memory of 1944	1452	backup.exe	backup.exe
PID 1452 wrote to memory of 1944	1452	backup.exe	backup.exe
PID 1944 wrote to memory of 556	1944	backup.exe	backup.exe
PID 1944 wrote to memory of 556	1944	backup.exe	backup.exe
PID 1944 wrote to memory of 556	1944	backup.exe	backup.exe
PID 1944 wrote to memory of 556	1944	backup.exe	backup.exe
PID 556 wrote to memory of 276	556	backup.exe	backup.exe
PID 556 wrote to memory of 276	556	backup.exe	backup.exe
PID 556 wrote to memory of 276	556	backup.exe	backup.exe
PID 556 wrote to memory of 276	556	backup.exe	backup.exe
PID 1944 wrote to memory of 1888	1944	backup.exe	backup.exe
PID 1944 wrote to memory of 1888	1944	backup.exe	backup.exe
PID 1944 wrote to memory of 1888	1944	backup.exe	backup.exe
PID 1944 wrote to memory of 1888	1944	backup.exe	backup.exe
PID 1888 wrote to memory of 1384	1888	backup.exe	backup.exe
PID 1888 wrote to memory of 1384	1888	backup.exe	backup.exe
PID 1888 wrote to memory of 1384	1888	backup.exe	backup.exe
PID 1888 wrote to memory of 1384	1888	backup.exe	backup.exe
PID 1384 wrote to memory of 864	1384	backup.exe	backup.exe
PID 1384 wrote to memory of 864	1384	backup.exe	backup.exe
PID 1384 wrote to memory of 864	1384	backup.exe	backup.exe
PID 1384 wrote to memory of 864	1384	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exe9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe

C:\Users\Admin\AppData\Local\Temp\9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe
"C:\Users\Admin\AppData\Local\Temp\9ef301b72df5752c0ac420651940fe1c1c11fa1279d6fb5add33562e0b3531fd.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:336

C:\Users\Admin\AppData\Local\Temp\324608615\backup.exe
C:\Users\Admin\AppData\Local\Temp\324608615\backup.exe C:\Users\Admin\AppData\Local\Temp\324608615\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:844

C:\backup.exe
\backup.exe \
3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1944

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:276

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:584

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:576

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1436

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1648

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1036

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:392

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:432

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:764

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1152

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:364

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:548

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:556

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2028

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:948

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:572

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:576

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1872

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1516

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:832

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1536

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1732

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1996

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1808

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2008

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1044

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1392

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1672

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:556

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1332

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1576

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:560

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1152

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
PID:836

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1932

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1272

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1704

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1224

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1500

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
PID:1636

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
- System policy modification
PID:1516

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1052

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
PID:1036

C:\Program Files\Common Files\Microsoft Shared\TextConv\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1996

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:2008

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1788

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1392

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
- System policy modification
PID:1600

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
- System policy modification
PID:580

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1540

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
- System policy modification
PID:1436

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\update.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:1640

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1572

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
PID:1100

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1628

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\data.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1664

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:1120

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1692

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
PID:1344

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
PID:692

C:\Program Files\Common Files\Services\System Restore.exe
"C:\Program Files\Common Files\Services\System Restore.exe" C:\Program Files\Common Files\Services\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:240

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1592

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
PID:1532

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:948

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
PID:1716

C:\Program Files\Common Files\System\de-DE\backup.exe
"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
PID:936

C:\Program Files\Common Files\System\en-US\data.exe
"C:\Program Files\Common Files\System\en-US\data.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:1628

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:1188

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
PID:284

C:\Program Files\DVD Maker\de-DE\System Restore.exe
"C:\Program Files\DVD Maker\de-DE\System Restore.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2020

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1652

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
PID:984

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
- System policy modification
PID:1716

C:\Program Files\DVD Maker\it-IT\update.exe
"C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1332

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
- Modifies visibility of file extensions in Explorer
PID:668

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
- System policy modification
PID:1932

C:\Program Files\DVD Maker\Shared\DvdStyles\data.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:1496

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1012

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
PID:1880

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
- System policy modification
PID:1952

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1764

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
PID:1688

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
PID:1056

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
PID:1888

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
PID:2032

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
PID:1436

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:432

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
- Modifies visibility of file extensions in Explorer
PID:1332

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:1840

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:1012

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
PID:952

C:\Program Files\Microsoft Games\Chess\backup.exe
"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
PID:1980

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:1384

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:284

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:484

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:1992

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Drops file in Program Files directory
- System policy modification
PID:1800

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
- Drops file in Program Files directory
PID:1376

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:1620

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:1980

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:964

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1708

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1692

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
PID:1824

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
PID:1696

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:520

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1548

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
PID:692

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1948

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:1160

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
PID:584

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
PID:1976

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
PID:1948

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
PID:1660

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
- Drops file in Program Files directory
PID:924

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
PID:1648

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
PID:1124

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
PID:1744

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
- Drops file in Program Files directory
PID:1600

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:1864

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
PID:1788

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
PID:1936

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:1732

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
PID:1564

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
PID:1740

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
PID:1164

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
- Drops file in Program Files directory
- System policy modification
PID:2008

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
PID:1736

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:1392

C:\Program Files (x86)\Microsoft Analysis Services\update.exe
"C:\Program Files (x86)\Microsoft Analysis Services\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:608

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:624

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
5⤵
PID:1664

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1008

C:\Users\Admin\update.exe
C:\Users\Admin\update.exe C:\Users\Admin\
5⤵
PID:1400

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:1256

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:1516

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:2020

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:1288

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:276

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:1768

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:576

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1272

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:516

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1012

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:272

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
705a3ac6c7f1ebe3e276077e25f5900f

SHA1
d1d2fae075f21b4ff6768eb7bedabc2280754f9f

SHA256
7023a93646750f61d5c73fa5ea6cf14b9889200274b8b0f9974591e52291c96e

SHA512
a73ac3b91e2784b67805e4698a7af1322fd37fee778c1cd5ab3b4e3241a09ad98636b3787de10fcdd2c8fd9111e07c8ee16ca362649dc7eedabfbf89f9f6acc1

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
C:\PerfLogs\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
a832d95c7076cc928ee6cd7afe113f3f

SHA1
d328cf99ab5b86e0577e1b8e7760616a2aecd92c

SHA256
fe85b08318cc716df157c6e815202019ce595766aaa89ea506ed98c50fd0ee09

SHA512
f812c86313062d39d2c93f046753ddeb2e682f6cb6125b37520b9d418388ef3e3beb90a714b3289f5ee404779c463fed25693a7b072f78cce7bdadbe1524306c

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
705a3ac6c7f1ebe3e276077e25f5900f

SHA1
d1d2fae075f21b4ff6768eb7bedabc2280754f9f

SHA256
7023a93646750f61d5c73fa5ea6cf14b9889200274b8b0f9974591e52291c96e

SHA512
a73ac3b91e2784b67805e4698a7af1322fd37fee778c1cd5ab3b4e3241a09ad98636b3787de10fcdd2c8fd9111e07c8ee16ca362649dc7eedabfbf89f9f6acc1

Download Submit
C:\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
705a3ac6c7f1ebe3e276077e25f5900f

SHA1
d1d2fae075f21b4ff6768eb7bedabc2280754f9f

SHA256
7023a93646750f61d5c73fa5ea6cf14b9889200274b8b0f9974591e52291c96e

SHA512
a73ac3b91e2784b67805e4698a7af1322fd37fee778c1cd5ab3b4e3241a09ad98636b3787de10fcdd2c8fd9111e07c8ee16ca362649dc7eedabfbf89f9f6acc1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
1b873897a453b3e93a3e4e49f2eb1d1e

SHA1
4a95bc01fbd58753ca06eda4b2a0baea162a6828

SHA256
68b0d8a8c288c8543a29ce57e151e7b4a6b82d19bfedf513ff725a82c6fc460c

SHA512
2738ab1d7d4eb51efc9d7979e448c4412603add68979d94e031e43a3a71ab5cdde12cc71d50c4d05acb5cb93e2aec76f2d386ce8c3a3b2198b8a243982e6beaa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
4fd9ceb9c3ea6feb3ad044630b5aecbf

SHA1
99cb18eba9dcfa9ad203a1ef21aceddb4b6b528c

SHA256
6841d88b9bba93803340f90249187c2d05851352a9bf02b787b690f732be695f

SHA512
831a2dae58b975e37cfde528a999576544a63a3904809461d0096f4fb88fdbfbd59cbae99351ba5af6fa2eb65ddf4edc3f05148ffa2b26555cddf8804a37513d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
4fd9ceb9c3ea6feb3ad044630b5aecbf

SHA1
99cb18eba9dcfa9ad203a1ef21aceddb4b6b528c

SHA256
6841d88b9bba93803340f90249187c2d05851352a9bf02b787b690f732be695f

SHA512
831a2dae58b975e37cfde528a999576544a63a3904809461d0096f4fb88fdbfbd59cbae99351ba5af6fa2eb65ddf4edc3f05148ffa2b26555cddf8804a37513d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
a6843933417af5826e8f410ec4004c49

SHA1
3757eba53c020cfb9a3d150c4fb425505215ea92

SHA256
5dd45132c2bee7f8cea94e7c95a0dc0977a986b6f25c106c8a700b313631abaa

SHA512
b6ed83744072a5ae5fecff68c11d7ee6ab12798ba47eca6874004945f08037efa5abd8881fab876b2f0a19f7581bf28ad8bfa48bbe39ad9401db3a897f2a28eb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
1b873897a453b3e93a3e4e49f2eb1d1e

SHA1
4a95bc01fbd58753ca06eda4b2a0baea162a6828

SHA256
68b0d8a8c288c8543a29ce57e151e7b4a6b82d19bfedf513ff725a82c6fc460c

SHA512
2738ab1d7d4eb51efc9d7979e448c4412603add68979d94e031e43a3a71ab5cdde12cc71d50c4d05acb5cb93e2aec76f2d386ce8c3a3b2198b8a243982e6beaa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
1b873897a453b3e93a3e4e49f2eb1d1e

SHA1
4a95bc01fbd58753ca06eda4b2a0baea162a6828

SHA256
68b0d8a8c288c8543a29ce57e151e7b4a6b82d19bfedf513ff725a82c6fc460c

SHA512
2738ab1d7d4eb51efc9d7979e448c4412603add68979d94e031e43a3a71ab5cdde12cc71d50c4d05acb5cb93e2aec76f2d386ce8c3a3b2198b8a243982e6beaa

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
a6843933417af5826e8f410ec4004c49

SHA1
3757eba53c020cfb9a3d150c4fb425505215ea92

SHA256
5dd45132c2bee7f8cea94e7c95a0dc0977a986b6f25c106c8a700b313631abaa

SHA512
b6ed83744072a5ae5fecff68c11d7ee6ab12798ba47eca6874004945f08037efa5abd8881fab876b2f0a19f7581bf28ad8bfa48bbe39ad9401db3a897f2a28eb

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
ffbdb417651cc74f37882dfd91b452e9

SHA1
d51ae5b4492ad2d503eb4edd6ba8d33b127b20ea

SHA256
39e368cf843fdffe7953a92bdfa411bdf380c617133c80690b32701146880d7a

SHA512
a1d6f396d3c198cf994f1eebbdf5564d4571b6e03935c5b147eb30ffaed1ac5036b4bce13ed946d7acf82fa6be61e4423e59df21aa8fde816a75d7ce5791b2eb

Download Submit
C:\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
ffbdb417651cc74f37882dfd91b452e9

SHA1
d51ae5b4492ad2d503eb4edd6ba8d33b127b20ea

SHA256
39e368cf843fdffe7953a92bdfa411bdf380c617133c80690b32701146880d7a

SHA512
a1d6f396d3c198cf994f1eebbdf5564d4571b6e03935c5b147eb30ffaed1ac5036b4bce13ed946d7acf82fa6be61e4423e59df21aa8fde816a75d7ce5791b2eb

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
C:\Program Files\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\324608615\backup.exe
Filesize
72KB

MD5
15a8ed1acb094bd5f6bfbee9a0de258a

SHA1
66c80bf8a0dd3a6a3f30afda550ad77f97a47117

SHA256
6bc56c43a761b973f5b6827a58cf0fabf220d875122f10bb809a7f185ae87852

SHA512
dc3b113c331d4c96833fef0412f40a713eccea9ec237d9ac2582d1299b1b3a53bb43fcb93bdb651e5d75cb5e152f23f3ffc7e7e53c5cbad2a2518035d136a284

Download Submit
C:\Users\Admin\AppData\Local\Temp\324608615\backup.exe
Filesize
72KB

MD5
15a8ed1acb094bd5f6bfbee9a0de258a

SHA1
66c80bf8a0dd3a6a3f30afda550ad77f97a47117

SHA256
6bc56c43a761b973f5b6827a58cf0fabf220d875122f10bb809a7f185ae87852

SHA512
dc3b113c331d4c96833fef0412f40a713eccea9ec237d9ac2582d1299b1b3a53bb43fcb93bdb651e5d75cb5e152f23f3ffc7e7e53c5cbad2a2518035d136a284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
1624cf110181ae800fb6a2c842b85f88

SHA1
b215300d5907606992ff5b7d99e0759668195aab

SHA256
5e83921787fce615e1218c7fccd5042216cf7d4a1acaafa7d06261ecba59ed16

SHA512
20254efc7909989c6d1532e13d258df22b33c5bbdac6653035c7e245eca0d0be9955f7563bb9c26796b41db80cfd73371fb64a9cf0bae2f121e0d135ac3395fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
C:\backup.exe
Filesize
72KB

MD5
9b4fca639caf170415b100cdf10cba9c

SHA1
c00e8fc1053d1ded22decf3f302245f826067eae

SHA256
1bbc7fdba8d7837e726d039dfec96b08f1dbec30387631ebe53b55dc009cd803

SHA512
3107e1ee70e3a5911ade9dbedc4be77a2a6712796cffe352b83ff7f9f754a8e2597e7de5f60d8a82e0766aadfb472b3a3acddd3d64c0478d49b6421a02591963

Download Submit
C:\backup.exe
Filesize
72KB

MD5
9b4fca639caf170415b100cdf10cba9c

SHA1
c00e8fc1053d1ded22decf3f302245f826067eae

SHA256
1bbc7fdba8d7837e726d039dfec96b08f1dbec30387631ebe53b55dc009cd803

SHA512
3107e1ee70e3a5911ade9dbedc4be77a2a6712796cffe352b83ff7f9f754a8e2597e7de5f60d8a82e0766aadfb472b3a3acddd3d64c0478d49b6421a02591963

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
705a3ac6c7f1ebe3e276077e25f5900f

SHA1
d1d2fae075f21b4ff6768eb7bedabc2280754f9f

SHA256
7023a93646750f61d5c73fa5ea6cf14b9889200274b8b0f9974591e52291c96e

SHA512
a73ac3b91e2784b67805e4698a7af1322fd37fee778c1cd5ab3b4e3241a09ad98636b3787de10fcdd2c8fd9111e07c8ee16ca362649dc7eedabfbf89f9f6acc1

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
72KB

MD5
705a3ac6c7f1ebe3e276077e25f5900f

SHA1
d1d2fae075f21b4ff6768eb7bedabc2280754f9f

SHA256
7023a93646750f61d5c73fa5ea6cf14b9889200274b8b0f9974591e52291c96e

SHA512
a73ac3b91e2784b67805e4698a7af1322fd37fee778c1cd5ab3b4e3241a09ad98636b3787de10fcdd2c8fd9111e07c8ee16ca362649dc7eedabfbf89f9f6acc1

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
\PerfLogs\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
a832d95c7076cc928ee6cd7afe113f3f

SHA1
d328cf99ab5b86e0577e1b8e7760616a2aecd92c

SHA256
fe85b08318cc716df157c6e815202019ce595766aaa89ea506ed98c50fd0ee09

SHA512
f812c86313062d39d2c93f046753ddeb2e682f6cb6125b37520b9d418388ef3e3beb90a714b3289f5ee404779c463fed25693a7b072f78cce7bdadbe1524306c

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
72KB

MD5
a832d95c7076cc928ee6cd7afe113f3f

SHA1
d328cf99ab5b86e0577e1b8e7760616a2aecd92c

SHA256
fe85b08318cc716df157c6e815202019ce595766aaa89ea506ed98c50fd0ee09

SHA512
f812c86313062d39d2c93f046753ddeb2e682f6cb6125b37520b9d418388ef3e3beb90a714b3289f5ee404779c463fed25693a7b072f78cce7bdadbe1524306c

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
705a3ac6c7f1ebe3e276077e25f5900f

SHA1
d1d2fae075f21b4ff6768eb7bedabc2280754f9f

SHA256
7023a93646750f61d5c73fa5ea6cf14b9889200274b8b0f9974591e52291c96e

SHA512
a73ac3b91e2784b67805e4698a7af1322fd37fee778c1cd5ab3b4e3241a09ad98636b3787de10fcdd2c8fd9111e07c8ee16ca362649dc7eedabfbf89f9f6acc1

Download Submit
\Program Files\7-Zip\backup.exe
Filesize
72KB

MD5
705a3ac6c7f1ebe3e276077e25f5900f

SHA1
d1d2fae075f21b4ff6768eb7bedabc2280754f9f

SHA256
7023a93646750f61d5c73fa5ea6cf14b9889200274b8b0f9974591e52291c96e

SHA512
a73ac3b91e2784b67805e4698a7af1322fd37fee778c1cd5ab3b4e3241a09ad98636b3787de10fcdd2c8fd9111e07c8ee16ca362649dc7eedabfbf89f9f6acc1

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
1b873897a453b3e93a3e4e49f2eb1d1e

SHA1
4a95bc01fbd58753ca06eda4b2a0baea162a6828

SHA256
68b0d8a8c288c8543a29ce57e151e7b4a6b82d19bfedf513ff725a82c6fc460c

SHA512
2738ab1d7d4eb51efc9d7979e448c4412603add68979d94e031e43a3a71ab5cdde12cc71d50c4d05acb5cb93e2aec76f2d386ce8c3a3b2198b8a243982e6beaa

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
Filesize
72KB

MD5
1b873897a453b3e93a3e4e49f2eb1d1e

SHA1
4a95bc01fbd58753ca06eda4b2a0baea162a6828

SHA256
68b0d8a8c288c8543a29ce57e151e7b4a6b82d19bfedf513ff725a82c6fc460c

SHA512
2738ab1d7d4eb51efc9d7979e448c4412603add68979d94e031e43a3a71ab5cdde12cc71d50c4d05acb5cb93e2aec76f2d386ce8c3a3b2198b8a243982e6beaa

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
4fd9ceb9c3ea6feb3ad044630b5aecbf

SHA1
99cb18eba9dcfa9ad203a1ef21aceddb4b6b528c

SHA256
6841d88b9bba93803340f90249187c2d05851352a9bf02b787b690f732be695f

SHA512
831a2dae58b975e37cfde528a999576544a63a3904809461d0096f4fb88fdbfbd59cbae99351ba5af6fa2eb65ddf4edc3f05148ffa2b26555cddf8804a37513d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
72KB

MD5
4fd9ceb9c3ea6feb3ad044630b5aecbf

SHA1
99cb18eba9dcfa9ad203a1ef21aceddb4b6b528c

SHA256
6841d88b9bba93803340f90249187c2d05851352a9bf02b787b690f732be695f

SHA512
831a2dae58b975e37cfde528a999576544a63a3904809461d0096f4fb88fdbfbd59cbae99351ba5af6fa2eb65ddf4edc3f05148ffa2b26555cddf8804a37513d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
a6843933417af5826e8f410ec4004c49

SHA1
3757eba53c020cfb9a3d150c4fb425505215ea92

SHA256
5dd45132c2bee7f8cea94e7c95a0dc0977a986b6f25c106c8a700b313631abaa

SHA512
b6ed83744072a5ae5fecff68c11d7ee6ab12798ba47eca6874004945f08037efa5abd8881fab876b2f0a19f7581bf28ad8bfa48bbe39ad9401db3a897f2a28eb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
Filesize
72KB

MD5
a6843933417af5826e8f410ec4004c49

SHA1
3757eba53c020cfb9a3d150c4fb425505215ea92

SHA256
5dd45132c2bee7f8cea94e7c95a0dc0977a986b6f25c106c8a700b313631abaa

SHA512
b6ed83744072a5ae5fecff68c11d7ee6ab12798ba47eca6874004945f08037efa5abd8881fab876b2f0a19f7581bf28ad8bfa48bbe39ad9401db3a897f2a28eb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
1b873897a453b3e93a3e4e49f2eb1d1e

SHA1
4a95bc01fbd58753ca06eda4b2a0baea162a6828

SHA256
68b0d8a8c288c8543a29ce57e151e7b4a6b82d19bfedf513ff725a82c6fc460c

SHA512
2738ab1d7d4eb51efc9d7979e448c4412603add68979d94e031e43a3a71ab5cdde12cc71d50c4d05acb5cb93e2aec76f2d386ce8c3a3b2198b8a243982e6beaa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe
Filesize
72KB

MD5
1b873897a453b3e93a3e4e49f2eb1d1e

SHA1
4a95bc01fbd58753ca06eda4b2a0baea162a6828

SHA256
68b0d8a8c288c8543a29ce57e151e7b4a6b82d19bfedf513ff725a82c6fc460c

SHA512
2738ab1d7d4eb51efc9d7979e448c4412603add68979d94e031e43a3a71ab5cdde12cc71d50c4d05acb5cb93e2aec76f2d386ce8c3a3b2198b8a243982e6beaa

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
a6843933417af5826e8f410ec4004c49

SHA1
3757eba53c020cfb9a3d150c4fb425505215ea92

SHA256
5dd45132c2bee7f8cea94e7c95a0dc0977a986b6f25c106c8a700b313631abaa

SHA512
b6ed83744072a5ae5fecff68c11d7ee6ab12798ba47eca6874004945f08037efa5abd8881fab876b2f0a19f7581bf28ad8bfa48bbe39ad9401db3a897f2a28eb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
Filesize
72KB

MD5
a6843933417af5826e8f410ec4004c49

SHA1
3757eba53c020cfb9a3d150c4fb425505215ea92

SHA256
5dd45132c2bee7f8cea94e7c95a0dc0977a986b6f25c106c8a700b313631abaa

SHA512
b6ed83744072a5ae5fecff68c11d7ee6ab12798ba47eca6874004945f08037efa5abd8881fab876b2f0a19f7581bf28ad8bfa48bbe39ad9401db3a897f2a28eb

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
Filesize
72KB

MD5
bb7d701a1612c536f860fd82d0814310

SHA1
d32f987fb35647f44094bb73d1cd74a8e201ff02

SHA256
fef686b6cbc6ee96aeaa6d3dd996cf54a8536f36fc8dfc4eb133c84aa8b076a6

SHA512
09e5a0a66174deba57acdaf6d91007d487ec92601b68dbc2a6f4718532595ea2916a43c2be018bc77ad4fd0c20eaa464165c3a23d9f687ed033aee61fbf35b39

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
ffbdb417651cc74f37882dfd91b452e9

SHA1
d51ae5b4492ad2d503eb4edd6ba8d33b127b20ea

SHA256
39e368cf843fdffe7953a92bdfa411bdf380c617133c80690b32701146880d7a

SHA512
a1d6f396d3c198cf994f1eebbdf5564d4571b6e03935c5b147eb30ffaed1ac5036b4bce13ed946d7acf82fa6be61e4423e59df21aa8fde816a75d7ce5791b2eb

Download Submit
\Program Files\Common Files\backup.exe
Filesize
72KB

MD5
ffbdb417651cc74f37882dfd91b452e9

SHA1
d51ae5b4492ad2d503eb4edd6ba8d33b127b20ea

SHA256
39e368cf843fdffe7953a92bdfa411bdf380c617133c80690b32701146880d7a

SHA512
a1d6f396d3c198cf994f1eebbdf5564d4571b6e03935c5b147eb30ffaed1ac5036b4bce13ed946d7acf82fa6be61e4423e59df21aa8fde816a75d7ce5791b2eb

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
\Program Files\backup.exe
Filesize
72KB

MD5
697eec1d25f04c717d9535042286be60

SHA1
fe4df1749e70533f9ea8277aac0cf853f5f35b6e

SHA256
5a34fbbd4d09baee2611554f689991ccfeb2291dcf9253c82048877dcd78946f

SHA512
da503f0fa85023a03ef20757d5ea76c303463c394880a7530d8269869e5f402cd2afdd498d41bc75b8cabd47c3c001ecf542ab9fe1294d75ba6ac7bc7b61fd2e

Download Submit
\Users\Admin\AppData\Local\Temp\324608615\backup.exe
Filesize
72KB

MD5
15a8ed1acb094bd5f6bfbee9a0de258a

SHA1
66c80bf8a0dd3a6a3f30afda550ad77f97a47117

SHA256
6bc56c43a761b973f5b6827a58cf0fabf220d875122f10bb809a7f185ae87852

SHA512
dc3b113c331d4c96833fef0412f40a713eccea9ec237d9ac2582d1299b1b3a53bb43fcb93bdb651e5d75cb5e152f23f3ffc7e7e53c5cbad2a2518035d136a284

Download Submit
\Users\Admin\AppData\Local\Temp\324608615\backup.exe
Filesize
72KB

MD5
15a8ed1acb094bd5f6bfbee9a0de258a

SHA1
66c80bf8a0dd3a6a3f30afda550ad77f97a47117

SHA256
6bc56c43a761b973f5b6827a58cf0fabf220d875122f10bb809a7f185ae87852

SHA512
dc3b113c331d4c96833fef0412f40a713eccea9ec237d9ac2582d1299b1b3a53bb43fcb93bdb651e5d75cb5e152f23f3ffc7e7e53c5cbad2a2518035d136a284

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
1624cf110181ae800fb6a2c842b85f88

SHA1
b215300d5907606992ff5b7d99e0759668195aab

SHA256
5e83921787fce615e1218c7fccd5042216cf7d4a1acaafa7d06261ecba59ed16

SHA512
20254efc7909989c6d1532e13d258df22b33c5bbdac6653035c7e245eca0d0be9955f7563bb9c26796b41db80cfd73371fb64a9cf0bae2f121e0d135ac3395fd

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
Filesize
72KB

MD5
1624cf110181ae800fb6a2c842b85f88

SHA1
b215300d5907606992ff5b7d99e0759668195aab

SHA256
5e83921787fce615e1218c7fccd5042216cf7d4a1acaafa7d06261ecba59ed16

SHA512
20254efc7909989c6d1532e13d258df22b33c5bbdac6653035c7e245eca0d0be9955f7563bb9c26796b41db80cfd73371fb64a9cf0bae2f121e0d135ac3395fd

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
Filesize
72KB

MD5
032c180ff43267a2edd6aeb1f11fe779

SHA1
35f5d5423eb02a448bb3197ee1a1851b9bac4da2

SHA256
889c7136326595e8cefa8307775ae7919503140904d56a7558e727d3affcbe24

SHA512
ee94625f0a24dee5120d23461aa3435adbafc1d1aeaf853f4dd3c560c61f33dd2e3df0a641d4e7e63463324d4282d8cfbc5a3075e6ac09f798f39e6193f862e6

Download Submit
memory/272-94-0x0000000000000000-mapping.dmp

Download
memory/276-134-0x0000000000000000-mapping.dmp

Download
memory/336-158-0x0000000074BC1000-0x0000000074BC3000-memory.dmp

Filesize
8KB

Download
memory/336-108-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download
memory/364-106-0x0000000000000000-mapping.dmp

Download
memory/364-210-0x0000000000000000-mapping.dmp

Download
memory/392-197-0x0000000000000000-mapping.dmp

Download
memory/432-200-0x0000000000000000-mapping.dmp

Download
memory/516-70-0x0000000000000000-mapping.dmp

Download
memory/548-222-0x0000000000000000-mapping.dmp

Download
memory/556-226-0x0000000000000000-mapping.dmp

Download
memory/556-306-0x0000000000000000-mapping.dmp

Download
memory/556-127-0x0000000000000000-mapping.dmp

Download
memory/560-319-0x0000000000000000-mapping.dmp

Download
memory/572-242-0x0000000000000000-mapping.dmp

Download
memory/576-168-0x0000000000000000-mapping.dmp

Download
memory/576-252-0x0000000000000000-mapping.dmp

Download
memory/584-161-0x0000000000000000-mapping.dmp

Download
memory/764-203-0x0000000000000000-mapping.dmp

Download
memory/832-264-0x0000000000000000-mapping.dmp

Download
memory/844-58-0x0000000000000000-mapping.dmp

Download
memory/864-154-0x0000000000000000-mapping.dmp

Download
memory/924-194-0x0000000000000000-mapping.dmp

Download
memory/948-234-0x0000000000000000-mapping.dmp

Download
memory/1012-88-0x0000000000000000-mapping.dmp

Download
memory/1036-191-0x0000000000000000-mapping.dmp

Download
memory/1044-214-0x0000000000000000-mapping.dmp

Download
memory/1044-294-0x0000000000000000-mapping.dmp

Download
memory/1152-206-0x0000000000000000-mapping.dmp

Download
memory/1152-322-0x0000000000000000-mapping.dmp

Download
memory/1164-76-0x0000000000000000-mapping.dmp

Download
memory/1256-309-0x0000000000000000-mapping.dmp

Download
memory/1268-246-0x0000000000000000-mapping.dmp

Download
memory/1272-249-0x0000000000000000-mapping.dmp

Download
memory/1272-64-0x0000000000000000-mapping.dmp

Download
memory/1332-313-0x0000000000000000-mapping.dmp

Download
memory/1384-147-0x0000000000000000-mapping.dmp

Download
memory/1392-300-0x0000000000000000-mapping.dmp

Download
memory/1400-297-0x0000000000000000-mapping.dmp

Download
memory/1436-179-0x0000000000000000-mapping.dmp

Download
memory/1452-99-0x0000000000000000-mapping.dmp

Download
memory/1492-82-0x0000000000000000-mapping.dmp

Download
memory/1508-182-0x0000000000000000-mapping.dmp

Download
memory/1516-261-0x0000000000000000-mapping.dmp

Download
memory/1532-279-0x0000000000000000-mapping.dmp

Download
memory/1536-267-0x0000000000000000-mapping.dmp

Download
memory/1556-270-0x0000000000000000-mapping.dmp

Download
memory/1576-316-0x0000000000000000-mapping.dmp

Download
memory/1588-188-0x0000000000000000-mapping.dmp

Download
memory/1648-185-0x0000000000000000-mapping.dmp

Download
memory/1656-238-0x0000000000000000-mapping.dmp

Download
memory/1672-303-0x0000000000000000-mapping.dmp

Download
memory/1688-174-0x0000000000000000-mapping.dmp

Download
memory/1732-273-0x0000000000000000-mapping.dmp

Download
memory/1772-258-0x0000000000000000-mapping.dmp

Download
memory/1788-291-0x0000000000000000-mapping.dmp

Download
memory/1808-285-0x0000000000000000-mapping.dmp

Download
memory/1872-255-0x0000000000000000-mapping.dmp

Download
memory/1880-276-0x0000000000000000-mapping.dmp

Download
memory/1888-140-0x0000000000000000-mapping.dmp

Download
memory/1944-120-0x0000000000000000-mapping.dmp

Download
memory/1964-218-0x0000000000000000-mapping.dmp

Download
memory/1976-114-0x0000000000000000-mapping.dmp

Download
memory/1996-282-0x0000000000000000-mapping.dmp

Download
memory/2008-288-0x0000000000000000-mapping.dmp

Download
memory/2028-230-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads