Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

41c3e5f5b9...03.exe

windows7-x64

10

41c3e5f5b9...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41c3e5f5b96db2521d3ba4e1c907ea46e0fb31c69a513ba8eb31d3cde1d2e003.exe

  • Size

    72KB

  • MD5

    018479cb5e721cff5e42cc16761fdc8f

  • SHA1

    1a582b24e9bc7ff6440663862564330fb087b715

  • SHA256

    41c3e5f5b96db2521d3ba4e1c907ea46e0fb31c69a513ba8eb31d3cde1d2e003

  • SHA512

    c35f400aace89c3ba57576334a3fb9cd0e7c9532245d5535f514aa293f55a548db7f1d1389d9787410ef980b6102b18a034847915fb7bcc511e25633c12699ce

  • SSDEEP

    384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2A:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPU

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
    evasion
  • Disables RegEdit via registry modification 64 IoCs
    evasion
  • Executes dropped EXE 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\41c3e5f5b96db2521d3ba4e1c907ea46e0fb31c69a513ba8eb31d3cde1d2e003.exe
    "C:\Users\Admin\AppData\Local\Temp\41c3e5f5b96db2521d3ba4e1c907ea46e0fb31c69a513ba8eb31d3cde1d2e003.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\AppData\Local\Temp\3444988905\backup.exe
      C:\Users\Admin\AppData\Local\Temp\3444988905\backup.exe C:\Users\Admin\AppData\Local\Temp\3444988905\
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5104
      • C:\backup.exe
        \backup.exe \
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\odt\backup.exe
          C:\odt\backup.exe C:\odt\
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1904
        • C:\PerfLogs\backup.exe
          C:\PerfLogs\backup.exe C:\PerfLogs\
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1460
        • C:\Program Files\backup.exe
          "C:\Program Files\backup.exe" C:\Program Files\
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Program Files\7-Zip\backup.exe
            "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2260
            • C:\Program Files\7-Zip\Lang\backup.exe
              "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:984
          • C:\Program Files\Common Files\System Restore.exe
            "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
            5⤵
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3308
            • C:\Program Files\Common Files\DESIGNER\backup.exe
              "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • System policy modification
              PID:4064
            • C:\Program Files\Common Files\microsoft shared\backup.exe
              "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
              6⤵
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3200
              • C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
                "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • System policy modification
                PID:2172
              • C:\Program Files\Common Files\microsoft shared\ink\backup.exe
                "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3968
                • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
                  8⤵
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1956
                • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1708
                • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1900
                • C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3164
                • C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:3464
                • C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:4948
                • C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:2284
                • C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2584
                • C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3432
                • C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:4248
                • C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
                  8⤵
                    PID:2336
                  • C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2140
                  • C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • System policy modification
                    PID:2896
                  • C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    • System policy modification
                    PID:1644
                  • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
                    8⤵
                    • Drops file in Program Files directory
                    • System policy modification
                    PID:3364
                    • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
                      9⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      PID:3588
                    • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
                      9⤵
                      • Disables RegEdit via registry modification
                      • System policy modification
                      PID:1860
                    • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
                      9⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      PID:5112
                    • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe
                      "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
                      9⤵
                      • Disables RegEdit via registry modification
                      • System policy modification
                      PID:5036
                  • C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    • System policy modification
                    PID:740
                  • C:\Program Files\Common Files\microsoft shared\ink\hr-HR\update.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\update.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    • System policy modification
                    PID:4544
                  • C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    PID:816
                  • C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\
                    8⤵
                      PID:2332
                  • C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
                    7⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    PID:4124
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:4744
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:2192
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:4772
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1988
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
                      8⤵
                        PID:4448
                      • C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
                        "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
                        8⤵
                        • Modifies visibility of file extensions in Explorer
                        • Disables RegEdit via registry modification
                        • System policy modification
                        PID:4548
                    • C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
                      7⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:3604
                      • C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
                        "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
                        8⤵
                        • Disables RegEdit via registry modification
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        • System policy modification
                        PID:3140
                    • C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
                      7⤵
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:3156
                    • C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
                      7⤵
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:2324
                    • C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
                      7⤵
                      • Modifies visibility of file extensions in Explorer
                      PID:4824
                    • C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
                      7⤵
                      • Disables RegEdit via registry modification
                      • Drops file in Program Files directory
                      PID:4476
                      • C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
                        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
                        8⤵
                        • System policy modification
                        PID:4196
                    • C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe
                      "C:\Program Files\Common Files\microsoft shared\Triedit\System Restore.exe" C:\Program Files\Common Files\microsoft shared\Triedit\
                      7⤵
                        PID:1460
                        • C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe
                          "C:\Program Files\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\Triedit\en-US\
                          8⤵
                            PID:1824
                        • C:\Program Files\Common Files\microsoft shared\VC\System Restore.exe
                          "C:\Program Files\Common Files\microsoft shared\VC\System Restore.exe" C:\Program Files\Common Files\microsoft shared\VC\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          • System policy modification
                          PID:4716
                        • C:\Program Files\Common Files\microsoft shared\VGX\backup.exe
                          "C:\Program Files\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files\Common Files\microsoft shared\VGX\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          • Disables RegEdit via registry modification
                          PID:4992
                        • C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe
                          "C:\Program Files\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          • Disables RegEdit via registry modification
                          • System policy modification
                          PID:5084
                          • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe
                            "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\
                            8⤵
                            • Disables RegEdit via registry modification
                            • System policy modification
                            PID:2236
                            • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
                              "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\
                              9⤵
                              • System policy modification
                              PID:4820
                      • C:\Program Files\Common Files\Services\backup.exe
                        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
                        6⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:3396
                      • C:\Program Files\Common Files\System\backup.exe
                        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
                        6⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        PID:4996
                        • C:\Program Files\Common Files\System\de-DE\backup.exe
                          "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          • System policy modification
                          PID:2616
                        • C:\Program Files\Common Files\System\en-US\update.exe
                          "C:\Program Files\Common Files\System\en-US\update.exe" C:\Program Files\Common Files\System\en-US\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          • System policy modification
                          PID:3464
                        • C:\Program Files\Common Files\System\es-ES\backup.exe
                          "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          PID:1400
                        • C:\Program Files\Common Files\System\fr-FR\update.exe
                          "C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          • Disables RegEdit via registry modification
                          • System policy modification
                          PID:3872
                    • C:\Program Files\Google\backup.exe
                      "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
                      5⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:4104
                      • C:\Program Files\Google\Chrome\backup.exe
                        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
                        6⤵
                        • Modifies visibility of file extensions in Explorer
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        • System policy modification
                        PID:4956
                        • C:\Program Files\Google\Chrome\Application\backup.exe
                          "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
                          7⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Drops file in Program Files directory
                          • Suspicious use of SetWindowsHookEx
                          • System policy modification
                          PID:4192
                          • C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
                            "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
                            8⤵
                            • Disables RegEdit via registry modification
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            • Suspicious use of SetWindowsHookEx
                            PID:3040
                            • C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
                              "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
                              9⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:1956
                            • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
                              "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
                              9⤵
                              • Modifies visibility of file extensions in Explorer
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              • System policy modification
                              PID:1928
                            • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
                              "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
                              9⤵
                                PID:4892
                              • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
                                "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
                                9⤵
                                  PID:2508
                                • C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\update.exe
                                  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\update.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
                                  9⤵
                                  • Modifies visibility of file extensions in Explorer
                                  PID:3960
                                • C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
                                  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
                                  9⤵
                                    PID:4924
                                  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
                                    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
                                    9⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • System policy modification
                                    PID:4152
                                  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
                                    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
                                    9⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Drops file in Program Files directory
                                    PID:1388
                                • C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
                                  "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
                                  8⤵
                                    PID:4596
                            • C:\Program Files\Internet Explorer\backup.exe
                              "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
                              5⤵
                              • Modifies visibility of file extensions in Explorer
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious use of SetWindowsHookEx
                              PID:4228
                              • C:\Program Files\Internet Explorer\de-DE\System Restore.exe
                                "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
                                6⤵
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:1468
                              • C:\Program Files\Internet Explorer\en-US\backup.exe
                                "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
                                6⤵
                                • Modifies visibility of file extensions in Explorer
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:2296
                              • C:\Program Files\Internet Explorer\es-ES\backup.exe
                                "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
                                6⤵
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:4372
                              • C:\Program Files\Internet Explorer\fr-FR\backup.exe
                                "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
                                6⤵
                                • Disables RegEdit via registry modification
                                PID:2644
                              • C:\Program Files\Internet Explorer\images\backup.exe
                                "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
                                6⤵
                                • Disables RegEdit via registry modification
                                PID:4292
                              • C:\Program Files\Internet Explorer\it-IT\backup.exe
                                "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
                                6⤵
                                  PID:3628
                                • C:\Program Files\Internet Explorer\ja-JP\backup.exe
                                  "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
                                  6⤵
                                  • Disables RegEdit via registry modification
                                  • System policy modification
                                  PID:4356
                                • C:\Program Files\Internet Explorer\SIGNUP\backup.exe
                                  "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
                                  6⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • System policy modification
                                  PID:1900
                              • C:\Program Files\Java\update.exe
                                "C:\Program Files\Java\update.exe" C:\Program Files\Java\
                                5⤵
                                • Drops file in Program Files directory
                                • System policy modification
                                PID:3916
                            • C:\Program Files (x86)\backup.exe
                              "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
                              4⤵
                              • Modifies visibility of file extensions in Explorer
                              • Disables RegEdit via registry modification
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious use of SetWindowsHookEx
                              PID:2788
                              • C:\Program Files (x86)\Adobe\backup.exe
                                "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
                                5⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:2252
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
                                  6⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2948
                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
                                    7⤵
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3108
                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
                                    7⤵
                                    • Disables RegEdit via registry modification
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    PID:1292
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
                                      8⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Disables RegEdit via registry modification
                                      PID:4320
                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
                                        9⤵
                                        • Disables RegEdit via registry modification
                                        PID:544
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
                                      8⤵
                                      • System policy modification
                                      PID:3604
                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\update.exe
                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
                                        9⤵
                                        • Modifies visibility of file extensions in Explorer
                                        PID:2592
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
                                      8⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • System policy modification
                                      PID:1916
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\
                                      8⤵
                                      • Disables RegEdit via registry modification
                                      • System policy modification
                                      PID:2080
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\update.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\update.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\
                                      8⤵
                                        PID:3936
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
                                      7⤵
                                      • Drops file in Program Files directory
                                      PID:3796
                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
                                        8⤵
                                        • Modifies visibility of file extensions in Explorer
                                        • Drops file in Program Files directory
                                        PID:1296
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\
                                          9⤵
                                          • Disables RegEdit via registry modification
                                          PID:1364
                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\System Restore.exe
                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\System Restore.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\
                                        8⤵
                                        • Modifies visibility of file extensions in Explorer
                                        PID:1516
                                • C:\Program Files (x86)\Common Files\backup.exe
                                  "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
                                  5⤵
                                  • Disables RegEdit via registry modification
                                  • System policy modification
                                  PID:5116
                                  • C:\Program Files (x86)\Common Files\Adobe\backup.exe
                                    "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
                                    6⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • Drops file in Program Files directory
                                    PID:400
                                    • C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
                                      "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
                                      7⤵
                                      • Disables RegEdit via registry modification
                                      • Drops file in Program Files directory
                                      PID:1668
                                    • C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
                                      "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
                                      7⤵
                                      • Disables RegEdit via registry modification
                                      PID:1172
                              • C:\Users\backup.exe
                                C:\Users\backup.exe C:\Users\
                                4⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:3184
                                • C:\Users\Public\backup.exe
                                  C:\Users\Public\backup.exe C:\Users\Public\
                                  5⤵
                                  • System policy modification
                                  PID:4412
                                  • C:\Users\Public\Documents\System Restore.exe
                                    "C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\
                                    6⤵
                                    • Modifies visibility of file extensions in Explorer
                                    • Disables RegEdit via registry modification
                                    • System policy modification
                                    PID:1968
                                  • C:\Users\Public\Downloads\backup.exe
                                    C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
                                    6⤵
                                    • System policy modification
                                    PID:5048
                              • C:\Windows\backup.exe
                                C:\Windows\backup.exe C:\Windows\
                                4⤵
                                • Disables RegEdit via registry modification
                                • Drops file in Windows directory
                                PID:4712
                                • C:\Windows\addins\backup.exe
                                  C:\Windows\addins\backup.exe C:\Windows\addins\
                                  5⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • System policy modification
                                  PID:3352
                                • C:\Windows\appcompat\backup.exe
                                  C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
                                  5⤵
                                  • Drops file in Windows directory
                                  PID:4904
                          • C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
                            C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:3048
                          • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                            C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            • System policy modification
                            PID:3320
                          • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                            C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:5016
                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
                            2⤵
                            • Disables RegEdit via registry modification
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:1364
                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
                            2⤵
                            • Modifies visibility of file extensions in Explorer
                            • Disables RegEdit via registry modification
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            • System policy modification
                            PID:1724
                          • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                            C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:2052
                        • C:\Users\Admin\backup.exe
                          C:\Users\Admin\backup.exe C:\Users\Admin\
                          1⤵
                          • Modifies visibility of file extensions in Explorer
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:3172
                          • C:\Users\Admin\3D Objects\backup.exe
                            "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            • System policy modification
                            PID:3428
                          • C:\Users\Admin\Contacts\data.exe
                            C:\Users\Admin\Contacts\data.exe C:\Users\Admin\Contacts\
                            2⤵
                            • Modifies visibility of file extensions in Explorer
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:3920
                          • C:\Users\Admin\Desktop\backup.exe
                            C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
                            2⤵
                            • Modifies visibility of file extensions in Explorer
                            • System policy modification
                            PID:3272
                          • C:\Users\Admin\Documents\backup.exe
                            C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
                            2⤵
                            • Modifies visibility of file extensions in Explorer
                            • Disables RegEdit via registry modification
                            • System policy modification
                            PID:1272
                          • C:\Users\Admin\Downloads\backup.exe
                            C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
                            2⤵
                            • Disables RegEdit via registry modification
                            • System policy modification
                            PID:1732
                          • C:\Users\Admin\Favorites\backup.exe
                            C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
                            2⤵
                              PID:2248
                            • C:\Users\Admin\Links\backup.exe
                              C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
                              2⤵
                              • Modifies visibility of file extensions in Explorer
                              PID:4744
                            • C:\Users\Admin\Music\backup.exe
                              C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
                              2⤵
                                PID:3192
                              • C:\Users\Admin\OneDrive\backup.exe
                                C:\Users\Admin\OneDrive\backup.exe C:\Users\Admin\OneDrive\
                                2⤵
                                • Disables RegEdit via registry modification
                                • System policy modification
                                PID:4240
                              • C:\Users\Admin\Pictures\backup.exe
                                C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
                                2⤵
                                • Modifies visibility of file extensions in Explorer
                                PID:4868
                            • C:\Program Files\Common Files\System\ado\backup.exe
                              "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
                              1⤵
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious use of SetWindowsHookEx
                              PID:2052
                              • C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe
                                "C:\Program Files\Common Files\System\ado\de-DE\System Restore.exe" C:\Program Files\Common Files\System\ado\de-DE\
                                2⤵
                                • Modifies visibility of file extensions in Explorer
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:2592
                              • C:\Program Files\Common Files\System\ado\en-US\backup.exe
                                "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
                                2⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:1236
                              • C:\Program Files\Common Files\System\ado\es-ES\backup.exe
                                "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:4368
                              • C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
                                "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
                                2⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • System policy modification
                                PID:1668
                              • C:\Program Files\Common Files\System\ado\it-IT\backup.exe
                                "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
                                2⤵
                                  PID:2012
                                • C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
                                  "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
                                  2⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • System policy modification
                                  PID:2384
                              • C:\Program Files\Java\jdk1.8.0_66\backup.exe
                                "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
                                1⤵
                                • Drops file in Program Files directory
                                PID:2284
                                • C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
                                  "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
                                  2⤵
                                    PID:3800
                                  • C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
                                    "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
                                    2⤵
                                    • Modifies visibility of file extensions in Explorer
                                    PID:4900

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\PerfLogs\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  610e360d3ca750eb6a8c7b610d5c0983

                                  SHA1

                                  b7806f64cc580b272a7be39cbf02529d34acbc88

                                  SHA256

                                  769618bab13e1d5d6dff320c85fcd38fecdc1ca95a95fe7f87fa44ffa46e90d0

                                  SHA512

                                  d9d5d37ac64988f1b07146fe7ec70ce86fe5b1e955228cb092664d562d1bae6a18b28c7295fbd2e5ece502c79b8a0d7b582c87868281a5e0205fe3c63551f3ed

                                  Download Submit

                                • C:\PerfLogs\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  610e360d3ca750eb6a8c7b610d5c0983

                                  SHA1

                                  b7806f64cc580b272a7be39cbf02529d34acbc88

                                  SHA256

                                  769618bab13e1d5d6dff320c85fcd38fecdc1ca95a95fe7f87fa44ffa46e90d0

                                  SHA512

                                  d9d5d37ac64988f1b07146fe7ec70ce86fe5b1e955228cb092664d562d1bae6a18b28c7295fbd2e5ece502c79b8a0d7b582c87868281a5e0205fe3c63551f3ed

                                  Download Submit

                                • C:\Program Files (x86)\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  040e7389090fa77911b82ce9ea05ca6a

                                  SHA1

                                  c03bbd4ccc1e9f01a737a2e1754a5f6441252d24

                                  SHA256

                                  a6944274d3fda705720867243323667200f594026246e480843cb96972aaf536

                                  SHA512

                                  b3c09704e3dfdfa9a74de1371954d65f8babe41817a9fc7e17b15e470f42ea2393063008ba3d113bb42e6f8f154a753838a5a69578735900a343958ef8f729e1

                                  Download Submit

                                • C:\Program Files (x86)\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  040e7389090fa77911b82ce9ea05ca6a

                                  SHA1

                                  c03bbd4ccc1e9f01a737a2e1754a5f6441252d24

                                  SHA256

                                  a6944274d3fda705720867243323667200f594026246e480843cb96972aaf536

                                  SHA512

                                  b3c09704e3dfdfa9a74de1371954d65f8babe41817a9fc7e17b15e470f42ea2393063008ba3d113bb42e6f8f154a753838a5a69578735900a343958ef8f729e1

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  883eb3c924023aa33a3d7b61a53f1527

                                  SHA1

                                  cd6ef7386d21eca45f65f6b68e52a7261369c80a

                                  SHA256

                                  b013a79e2791bb0005331062c447c7dce19b50c0e8e122d3eebdac14afe6b3a8

                                  SHA512

                                  91383cbf22ed358a26d31ba2f5621eb491b5a116b0c6869017164203fec9003341605be7deb2048a5eae0472882ffb0bd31688db0547b8c3e742ad248ec0a222

                                  Download Submit

                                • C:\Program Files\7-Zip\Lang\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  883eb3c924023aa33a3d7b61a53f1527

                                  SHA1

                                  cd6ef7386d21eca45f65f6b68e52a7261369c80a

                                  SHA256

                                  b013a79e2791bb0005331062c447c7dce19b50c0e8e122d3eebdac14afe6b3a8

                                  SHA512

                                  91383cbf22ed358a26d31ba2f5621eb491b5a116b0c6869017164203fec9003341605be7deb2048a5eae0472882ffb0bd31688db0547b8c3e742ad248ec0a222

                                  Download Submit

                                • C:\Program Files\7-Zip\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  06cabac37cfff5e4ab1a9b0f1624b79f

                                  SHA1

                                  4921752b1c7648c9b2f2bcc6163f3e8baccbcd30

                                  SHA256

                                  038de6acaa3205b76352810898eafd5c3bced6466edeaf9d771b4330c1d524a8

                                  SHA512

                                  4282ee8cc2cda35952e57174bdb4c0873caf3db9f9b66e1681f67d54c558957f1a4afcf576bece32782720f200d85ed605df50db973e5dc48edf279b5354000d

                                  Download Submit

                                • C:\Program Files\7-Zip\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  06cabac37cfff5e4ab1a9b0f1624b79f

                                  SHA1

                                  4921752b1c7648c9b2f2bcc6163f3e8baccbcd30

                                  SHA256

                                  038de6acaa3205b76352810898eafd5c3bced6466edeaf9d771b4330c1d524a8

                                  SHA512

                                  4282ee8cc2cda35952e57174bdb4c0873caf3db9f9b66e1681f67d54c558957f1a4afcf576bece32782720f200d85ed605df50db973e5dc48edf279b5354000d

                                  Download Submit

                                • C:\Program Files\Common Files\DESIGNER\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  9a06e187c06cb7174c447f11952dfa1f

                                  SHA1

                                  8c90b4cc7ef82e1a7a656393d3fa0ed0bb8fdd00

                                  SHA256

                                  1a8c5abac9210fd82213ca8937ef1c5baa2e08672ba09dcb35f64725007c8ab1

                                  SHA512

                                  7f7a1440b26bbba3b3b74cc50f6e8d73606fd4f582df48d59c25c94ccb8491b4c8314061cc873afecb085edc82d1940ba14d61445790a6e02bd970320a67c518

                                  Download Submit

                                • C:\Program Files\Common Files\DESIGNER\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  9a06e187c06cb7174c447f11952dfa1f

                                  SHA1

                                  8c90b4cc7ef82e1a7a656393d3fa0ed0bb8fdd00

                                  SHA256

                                  1a8c5abac9210fd82213ca8937ef1c5baa2e08672ba09dcb35f64725007c8ab1

                                  SHA512

                                  7f7a1440b26bbba3b3b74cc50f6e8d73606fd4f582df48d59c25c94ccb8491b4c8314061cc873afecb085edc82d1940ba14d61445790a6e02bd970320a67c518

                                  Download Submit

                                • C:\Program Files\Common Files\Services\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  72bdc98953469ec0b3a44f777092d0f5

                                  SHA1

                                  0a6e19494148b0aebd312f439551263c73c75e12

                                  SHA256

                                  154ca0fba0fc4900688e8be15bc5653359e4cc3e997219b41d22d77d4a94c27c

                                  SHA512

                                  eff7a2cb239fe8b636ff3500fe5b6a8516f6cf59578bd058eaee7796cb63b3372b46a40b83ddee48faf8a4971524ea589dd614fc325bb3ef8dfbfa92b90091ac

                                  Download Submit

                                • C:\Program Files\Common Files\Services\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  72bdc98953469ec0b3a44f777092d0f5

                                  SHA1

                                  0a6e19494148b0aebd312f439551263c73c75e12

                                  SHA256

                                  154ca0fba0fc4900688e8be15bc5653359e4cc3e997219b41d22d77d4a94c27c

                                  SHA512

                                  eff7a2cb239fe8b636ff3500fe5b6a8516f6cf59578bd058eaee7796cb63b3372b46a40b83ddee48faf8a4971524ea589dd614fc325bb3ef8dfbfa92b90091ac

                                  Download Submit

                                • C:\Program Files\Common Files\System Restore.exe
                                  Filesize

                                  72KB

                                  MD5

                                  d460e6ea306c87f9e1ed5be5fda3d4da

                                  SHA1

                                  2be4bfeaa75448a071ffdbe7bc52ef274ac95572

                                  SHA256

                                  e31db7b6c2676e195916c70102a95c147a4b4385658e757afcb10cc851335367

                                  SHA512

                                  361ce3f7df8a3449c3bea782e715e1e4ce699dc3a663da69b805e8558f0d24184f87d26e52819c715aff318ed29147a173f8076bbb0d310aa1da76d7c738a9de

                                  Download Submit

                                • C:\Program Files\Common Files\System Restore.exe
                                  Filesize

                                  72KB

                                  MD5

                                  d460e6ea306c87f9e1ed5be5fda3d4da

                                  SHA1

                                  2be4bfeaa75448a071ffdbe7bc52ef274ac95572

                                  SHA256

                                  e31db7b6c2676e195916c70102a95c147a4b4385658e757afcb10cc851335367

                                  SHA512

                                  361ce3f7df8a3449c3bea782e715e1e4ce699dc3a663da69b805e8558f0d24184f87d26e52819c715aff318ed29147a173f8076bbb0d310aa1da76d7c738a9de

                                  Download Submit

                                • C:\Program Files\Common Files\System\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  53163406e5fb05cde37ad8bfe54dfe23

                                  SHA1

                                  2a2ced94e785f0214f2175650d8436c0ee02dca8

                                  SHA256

                                  2d4718f9fec24ad9574d335e065520993bf4027ba0894a810d1a3906edc1a389

                                  SHA512

                                  231f719de50061ea2da8bac10524eeb1da6cebe0affe4c99c0de9a339a8fd96c40bd91c7ea849ce5eb23f048f95c4d8f3cd97465d591911cfc290c6bc714ec5c

                                  Download Submit

                                • C:\Program Files\Common Files\System\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  53163406e5fb05cde37ad8bfe54dfe23

                                  SHA1

                                  2a2ced94e785f0214f2175650d8436c0ee02dca8

                                  SHA256

                                  2d4718f9fec24ad9574d335e065520993bf4027ba0894a810d1a3906edc1a389

                                  SHA512

                                  231f719de50061ea2da8bac10524eeb1da6cebe0affe4c99c0de9a339a8fd96c40bd91c7ea849ce5eb23f048f95c4d8f3cd97465d591911cfc290c6bc714ec5c

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  96f4177389d366cd647ae37001a1866b

                                  SHA1

                                  096e34964b9f42ae06fb9ff0f488ac9545ce0d63

                                  SHA256

                                  9d90cb4b8ea38c83427c0a1094416e73a093520ce84d52dbad4e09332f8f23a2

                                  SHA512

                                  c7d08cb97c02778e1954d1fa4e469d02368849766c604c4f8d1ce87a2c90e08ed283c9b556b64ef0a36e73d444909b70865ef1ab796c57a70b89bd87237dc642

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  96f4177389d366cd647ae37001a1866b

                                  SHA1

                                  096e34964b9f42ae06fb9ff0f488ac9545ce0d63

                                  SHA256

                                  9d90cb4b8ea38c83427c0a1094416e73a093520ce84d52dbad4e09332f8f23a2

                                  SHA512

                                  c7d08cb97c02778e1954d1fa4e469d02368849766c604c4f8d1ce87a2c90e08ed283c9b556b64ef0a36e73d444909b70865ef1ab796c57a70b89bd87237dc642

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  9e4025b5858f1b082f599ef07515c167

                                  SHA1

                                  b1f0cee5491569d79c247441a8789d7c36cfc3bd

                                  SHA256

                                  d716cdf576fe81db28a7563407108c5a3172c9f64bc6d56b7b282bed4fa7f008

                                  SHA512

                                  b06f561dd9aa0444738b888dcb06e9f35f4eaac89dc99f8666d891e9ba8ea4387eac8e3a655929769ce3506f3a7212486ad791cca45cacf8fc8b2e3cd1219dc9

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  9e4025b5858f1b082f599ef07515c167

                                  SHA1

                                  b1f0cee5491569d79c247441a8789d7c36cfc3bd

                                  SHA256

                                  d716cdf576fe81db28a7563407108c5a3172c9f64bc6d56b7b282bed4fa7f008

                                  SHA512

                                  b06f561dd9aa0444738b888dcb06e9f35f4eaac89dc99f8666d891e9ba8ea4387eac8e3a655929769ce3506f3a7212486ad791cca45cacf8fc8b2e3cd1219dc9

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  220407d1d3ae0eb873fd3695cc185eb2

                                  SHA1

                                  4246fbc8750b83620260b960af952be88f73fc38

                                  SHA256

                                  bbe8d9a29ac80fdfd21dcc18d725784babd2e218869cc41aef524fe02d24d0ae

                                  SHA512

                                  f1b0c3ebff81770173ee5a87c3fd3b26a75e227666e8b3a56f6c855ff5be22beef0ef271683abc062f9b703f420eccb5c52b6ceca4167a5fa6cc984f008771a0

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  220407d1d3ae0eb873fd3695cc185eb2

                                  SHA1

                                  4246fbc8750b83620260b960af952be88f73fc38

                                  SHA256

                                  bbe8d9a29ac80fdfd21dcc18d725784babd2e218869cc41aef524fe02d24d0ae

                                  SHA512

                                  f1b0c3ebff81770173ee5a87c3fd3b26a75e227666e8b3a56f6c855ff5be22beef0ef271683abc062f9b703f420eccb5c52b6ceca4167a5fa6cc984f008771a0

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  296ad168f3386d122e6d04a1d0155cad

                                  SHA1

                                  03ba2d50c3ad06d7a52b37e1a521317a50fb1d66

                                  SHA256

                                  2bb00c7988477a436c3c014fb1492de6bbf8b344fc0648775a8c15d474f6a7dd

                                  SHA512

                                  6802e52a4ea87a87987303e68c1ba53ae601af805c1153c3ff83a0ea18f4fc5bb5c6b2378ef95cc18cd33939bcb2468b8651d307d804cb601333d50e98de7fce

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  296ad168f3386d122e6d04a1d0155cad

                                  SHA1

                                  03ba2d50c3ad06d7a52b37e1a521317a50fb1d66

                                  SHA256

                                  2bb00c7988477a436c3c014fb1492de6bbf8b344fc0648775a8c15d474f6a7dd

                                  SHA512

                                  6802e52a4ea87a87987303e68c1ba53ae601af805c1153c3ff83a0ea18f4fc5bb5c6b2378ef95cc18cd33939bcb2468b8651d307d804cb601333d50e98de7fce

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  84d08f58eb39e50e1b654def0351188e

                                  SHA1

                                  66b3ff7f8ad00dac7b2bba50f72a219f167cd0b6

                                  SHA256

                                  8750aaf2421f0a5654bf9ea1a06f0293b720b8f7a410a912d7203cdf7d21d42b

                                  SHA512

                                  1fdbbacd9d5b493bbaf8ece1f604dfd7bb21bde68b899afa48db30ccafa0483e5107bc07d47dbc5bec8df71ab5f78c5d90df2056b2e9d8ff7a03b160c6194b8b

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  84d08f58eb39e50e1b654def0351188e

                                  SHA1

                                  66b3ff7f8ad00dac7b2bba50f72a219f167cd0b6

                                  SHA256

                                  8750aaf2421f0a5654bf9ea1a06f0293b720b8f7a410a912d7203cdf7d21d42b

                                  SHA512

                                  1fdbbacd9d5b493bbaf8ece1f604dfd7bb21bde68b899afa48db30ccafa0483e5107bc07d47dbc5bec8df71ab5f78c5d90df2056b2e9d8ff7a03b160c6194b8b

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  96f4177389d366cd647ae37001a1866b

                                  SHA1

                                  096e34964b9f42ae06fb9ff0f488ac9545ce0d63

                                  SHA256

                                  9d90cb4b8ea38c83427c0a1094416e73a093520ce84d52dbad4e09332f8f23a2

                                  SHA512

                                  c7d08cb97c02778e1954d1fa4e469d02368849766c604c4f8d1ce87a2c90e08ed283c9b556b64ef0a36e73d444909b70865ef1ab796c57a70b89bd87237dc642

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  96f4177389d366cd647ae37001a1866b

                                  SHA1

                                  096e34964b9f42ae06fb9ff0f488ac9545ce0d63

                                  SHA256

                                  9d90cb4b8ea38c83427c0a1094416e73a093520ce84d52dbad4e09332f8f23a2

                                  SHA512

                                  c7d08cb97c02778e1954d1fa4e469d02368849766c604c4f8d1ce87a2c90e08ed283c9b556b64ef0a36e73d444909b70865ef1ab796c57a70b89bd87237dc642

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  84d08f58eb39e50e1b654def0351188e

                                  SHA1

                                  66b3ff7f8ad00dac7b2bba50f72a219f167cd0b6

                                  SHA256

                                  8750aaf2421f0a5654bf9ea1a06f0293b720b8f7a410a912d7203cdf7d21d42b

                                  SHA512

                                  1fdbbacd9d5b493bbaf8ece1f604dfd7bb21bde68b899afa48db30ccafa0483e5107bc07d47dbc5bec8df71ab5f78c5d90df2056b2e9d8ff7a03b160c6194b8b

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  84d08f58eb39e50e1b654def0351188e

                                  SHA1

                                  66b3ff7f8ad00dac7b2bba50f72a219f167cd0b6

                                  SHA256

                                  8750aaf2421f0a5654bf9ea1a06f0293b720b8f7a410a912d7203cdf7d21d42b

                                  SHA512

                                  1fdbbacd9d5b493bbaf8ece1f604dfd7bb21bde68b899afa48db30ccafa0483e5107bc07d47dbc5bec8df71ab5f78c5d90df2056b2e9d8ff7a03b160c6194b8b

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  11eb4eb227c503dcfb2dd6d5650828f2

                                  SHA1

                                  b99b50427d6b266201f7c7efa3fae0e5487bfcff

                                  SHA256

                                  74c0733493b0a176f7fbef22c0e2dec2636352ab1940e4f294c819ff2a223308

                                  SHA512

                                  88d5a032293f78e1ff83874b3cd28200a051b4fa361c2589a1a1d9e8b9ccb29ea1cb1a12d35b4c51a7f20437e2c98563458f246ecd5377d517b6eab41ae3925a

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  11eb4eb227c503dcfb2dd6d5650828f2

                                  SHA1

                                  b99b50427d6b266201f7c7efa3fae0e5487bfcff

                                  SHA256

                                  74c0733493b0a176f7fbef22c0e2dec2636352ab1940e4f294c819ff2a223308

                                  SHA512

                                  88d5a032293f78e1ff83874b3cd28200a051b4fa361c2589a1a1d9e8b9ccb29ea1cb1a12d35b4c51a7f20437e2c98563458f246ecd5377d517b6eab41ae3925a

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  11eb4eb227c503dcfb2dd6d5650828f2

                                  SHA1

                                  b99b50427d6b266201f7c7efa3fae0e5487bfcff

                                  SHA256

                                  74c0733493b0a176f7fbef22c0e2dec2636352ab1940e4f294c819ff2a223308

                                  SHA512

                                  88d5a032293f78e1ff83874b3cd28200a051b4fa361c2589a1a1d9e8b9ccb29ea1cb1a12d35b4c51a7f20437e2c98563458f246ecd5377d517b6eab41ae3925a

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  11eb4eb227c503dcfb2dd6d5650828f2

                                  SHA1

                                  b99b50427d6b266201f7c7efa3fae0e5487bfcff

                                  SHA256

                                  74c0733493b0a176f7fbef22c0e2dec2636352ab1940e4f294c819ff2a223308

                                  SHA512

                                  88d5a032293f78e1ff83874b3cd28200a051b4fa361c2589a1a1d9e8b9ccb29ea1cb1a12d35b4c51a7f20437e2c98563458f246ecd5377d517b6eab41ae3925a

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  11eb4eb227c503dcfb2dd6d5650828f2

                                  SHA1

                                  b99b50427d6b266201f7c7efa3fae0e5487bfcff

                                  SHA256

                                  74c0733493b0a176f7fbef22c0e2dec2636352ab1940e4f294c819ff2a223308

                                  SHA512

                                  88d5a032293f78e1ff83874b3cd28200a051b4fa361c2589a1a1d9e8b9ccb29ea1cb1a12d35b4c51a7f20437e2c98563458f246ecd5377d517b6eab41ae3925a

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  11eb4eb227c503dcfb2dd6d5650828f2

                                  SHA1

                                  b99b50427d6b266201f7c7efa3fae0e5487bfcff

                                  SHA256

                                  74c0733493b0a176f7fbef22c0e2dec2636352ab1940e4f294c819ff2a223308

                                  SHA512

                                  88d5a032293f78e1ff83874b3cd28200a051b4fa361c2589a1a1d9e8b9ccb29ea1cb1a12d35b4c51a7f20437e2c98563458f246ecd5377d517b6eab41ae3925a

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  fa57934f32cbe4a9cf5da227d394bb0b

                                  SHA1

                                  894ca86ccb2e70cb20a4f2cb9344560e293512b0

                                  SHA256

                                  60055771db74630e37f677a8285fc477019641bc2be653fcbee882de2b85f346

                                  SHA512

                                  2feae2ff76c8cba3c2f5a8ba5ce7c72ed87cc19703758cfb1006538b016b3e3d65fb37dbc088239d3c31f846fdeff8a065842a15c6b0aabb904262ff22133e65

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  fa57934f32cbe4a9cf5da227d394bb0b

                                  SHA1

                                  894ca86ccb2e70cb20a4f2cb9344560e293512b0

                                  SHA256

                                  60055771db74630e37f677a8285fc477019641bc2be653fcbee882de2b85f346

                                  SHA512

                                  2feae2ff76c8cba3c2f5a8ba5ce7c72ed87cc19703758cfb1006538b016b3e3d65fb37dbc088239d3c31f846fdeff8a065842a15c6b0aabb904262ff22133e65

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  fa57934f32cbe4a9cf5da227d394bb0b

                                  SHA1

                                  894ca86ccb2e70cb20a4f2cb9344560e293512b0

                                  SHA256

                                  60055771db74630e37f677a8285fc477019641bc2be653fcbee882de2b85f346

                                  SHA512

                                  2feae2ff76c8cba3c2f5a8ba5ce7c72ed87cc19703758cfb1006538b016b3e3d65fb37dbc088239d3c31f846fdeff8a065842a15c6b0aabb904262ff22133e65

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  fa57934f32cbe4a9cf5da227d394bb0b

                                  SHA1

                                  894ca86ccb2e70cb20a4f2cb9344560e293512b0

                                  SHA256

                                  60055771db74630e37f677a8285fc477019641bc2be653fcbee882de2b85f346

                                  SHA512

                                  2feae2ff76c8cba3c2f5a8ba5ce7c72ed87cc19703758cfb1006538b016b3e3d65fb37dbc088239d3c31f846fdeff8a065842a15c6b0aabb904262ff22133e65

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  a3a48c267fa0dca1db437c012713a1c3

                                  SHA1

                                  c3c63560a95644b3fbc7595cfac1fcca88b723ce

                                  SHA256

                                  d132f6173603f1021f0e1c96fbd27b61d31a3c72b170dffa809c8c873ec3da6f

                                  SHA512

                                  20208a505e7bb0d68825783aa09e2b8bcde4f21f13f985f588783a95aa4d4878b22b2481e34cd06e3850716267af8701244d64ebd0ad1733590d805034eebc94

                                  Download Submit

                                • C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  a3a48c267fa0dca1db437c012713a1c3

                                  SHA1

                                  c3c63560a95644b3fbc7595cfac1fcca88b723ce

                                  SHA256

                                  d132f6173603f1021f0e1c96fbd27b61d31a3c72b170dffa809c8c873ec3da6f

                                  SHA512

                                  20208a505e7bb0d68825783aa09e2b8bcde4f21f13f985f588783a95aa4d4878b22b2481e34cd06e3850716267af8701244d64ebd0ad1733590d805034eebc94

                                  Download Submit

                                • C:\Program Files\Google\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  85676b677207de1c7422393c397ad795

                                  SHA1

                                  a4be763db5a17a0bf12617fa9ee6c2351db9861b

                                  SHA256

                                  3311ac8a1eff7d6b0987c658194662a9f6a8ca72b25b38f115cbcd80de1e0ce9

                                  SHA512

                                  5d69a97bc4dd2e248d6e6d12d517295072ec784bbea4cacd08900fea442c287a3addc19dfd695b0933788a511500a349b4bdc90c7c6f25341283c3082695e346

                                  Download Submit

                                • C:\Program Files\Google\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  85676b677207de1c7422393c397ad795

                                  SHA1

                                  a4be763db5a17a0bf12617fa9ee6c2351db9861b

                                  SHA256

                                  3311ac8a1eff7d6b0987c658194662a9f6a8ca72b25b38f115cbcd80de1e0ce9

                                  SHA512

                                  5d69a97bc4dd2e248d6e6d12d517295072ec784bbea4cacd08900fea442c287a3addc19dfd695b0933788a511500a349b4bdc90c7c6f25341283c3082695e346

                                  Download Submit

                                • C:\Program Files\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  610e360d3ca750eb6a8c7b610d5c0983

                                  SHA1

                                  b7806f64cc580b272a7be39cbf02529d34acbc88

                                  SHA256

                                  769618bab13e1d5d6dff320c85fcd38fecdc1ca95a95fe7f87fa44ffa46e90d0

                                  SHA512

                                  d9d5d37ac64988f1b07146fe7ec70ce86fe5b1e955228cb092664d562d1bae6a18b28c7295fbd2e5ece502c79b8a0d7b582c87868281a5e0205fe3c63551f3ed

                                  Download Submit

                                • C:\Program Files\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  610e360d3ca750eb6a8c7b610d5c0983

                                  SHA1

                                  b7806f64cc580b272a7be39cbf02529d34acbc88

                                  SHA256

                                  769618bab13e1d5d6dff320c85fcd38fecdc1ca95a95fe7f87fa44ffa46e90d0

                                  SHA512

                                  d9d5d37ac64988f1b07146fe7ec70ce86fe5b1e955228cb092664d562d1bae6a18b28c7295fbd2e5ece502c79b8a0d7b582c87868281a5e0205fe3c63551f3ed

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\3444988905\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  1233932b94e731394d1a624df33aa285

                                  SHA1

                                  5d27f7b84e1c83e6e8ad4b3c61e95d60ee869f97

                                  SHA256

                                  916ae314fd92a8cd6c06833d62887b140feebe927c9001994706cb1660b3ce0d

                                  SHA512

                                  691f5feb8bc70dd1d4ed7ea9f980f13ba2e04eb7ecd331d53e35cf1e28ebea299d748a281b53f5b43228514a7e6b53d692a59dcde2df63b037ebbed9e2742205

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\3444988905\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  1233932b94e731394d1a624df33aa285

                                  SHA1

                                  5d27f7b84e1c83e6e8ad4b3c61e95d60ee869f97

                                  SHA256

                                  916ae314fd92a8cd6c06833d62887b140feebe927c9001994706cb1660b3ce0d

                                  SHA512

                                  691f5feb8bc70dd1d4ed7ea9f980f13ba2e04eb7ecd331d53e35cf1e28ebea299d748a281b53f5b43228514a7e6b53d692a59dcde2df63b037ebbed9e2742205

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  1233932b94e731394d1a624df33aa285

                                  SHA1

                                  5d27f7b84e1c83e6e8ad4b3c61e95d60ee869f97

                                  SHA256

                                  916ae314fd92a8cd6c06833d62887b140feebe927c9001994706cb1660b3ce0d

                                  SHA512

                                  691f5feb8bc70dd1d4ed7ea9f980f13ba2e04eb7ecd331d53e35cf1e28ebea299d748a281b53f5b43228514a7e6b53d692a59dcde2df63b037ebbed9e2742205

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  1233932b94e731394d1a624df33aa285

                                  SHA1

                                  5d27f7b84e1c83e6e8ad4b3c61e95d60ee869f97

                                  SHA256

                                  916ae314fd92a8cd6c06833d62887b140feebe927c9001994706cb1660b3ce0d

                                  SHA512

                                  691f5feb8bc70dd1d4ed7ea9f980f13ba2e04eb7ecd331d53e35cf1e28ebea299d748a281b53f5b43228514a7e6b53d692a59dcde2df63b037ebbed9e2742205

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  1233932b94e731394d1a624df33aa285

                                  SHA1

                                  5d27f7b84e1c83e6e8ad4b3c61e95d60ee869f97

                                  SHA256

                                  916ae314fd92a8cd6c06833d62887b140feebe927c9001994706cb1660b3ce0d

                                  SHA512

                                  691f5feb8bc70dd1d4ed7ea9f980f13ba2e04eb7ecd331d53e35cf1e28ebea299d748a281b53f5b43228514a7e6b53d692a59dcde2df63b037ebbed9e2742205

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  1233932b94e731394d1a624df33aa285

                                  SHA1

                                  5d27f7b84e1c83e6e8ad4b3c61e95d60ee869f97

                                  SHA256

                                  916ae314fd92a8cd6c06833d62887b140feebe927c9001994706cb1660b3ce0d

                                  SHA512

                                  691f5feb8bc70dd1d4ed7ea9f980f13ba2e04eb7ecd331d53e35cf1e28ebea299d748a281b53f5b43228514a7e6b53d692a59dcde2df63b037ebbed9e2742205

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  de0b282a39d977072882f13612cf171c

                                  SHA1

                                  f20eadd9dceb8a5db48c6a9d30c31a31d3098e4a

                                  SHA256

                                  d92b813de3c2bfd68f23b08001f8033c498f57468970414c97fccdf2c0c11a57

                                  SHA512

                                  d2d8c9af9a0cc6ae4145080c8abd43f2ebf3390fac7dc6b0959bf38378b51144b35a12f3a1b1e329444511261ec2627f6026a00ee34d1c4b3e8349e9ef42f158

                                  Download Submit

                                • C:\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  15e89f3566c3243d41a82a47e17b83eb

                                  SHA1

                                  81cd5e5dcff7ced838f2bff9e3dd6f876540078d

                                  SHA256

                                  ff4b936732e1462f0ff85624670f0e7a71b453cd3afb865baa3604472689135f

                                  SHA512

                                  91fb37bde9087d15e2b0e82f4910846df71b0df7ea3c1624357f215bfee606653a58da361051250db610c1a0d87d6b321d5daab872400c28d8f60101db2b8e27

                                  Download Submit

                                • C:\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  15e89f3566c3243d41a82a47e17b83eb

                                  SHA1

                                  81cd5e5dcff7ced838f2bff9e3dd6f876540078d

                                  SHA256

                                  ff4b936732e1462f0ff85624670f0e7a71b453cd3afb865baa3604472689135f

                                  SHA512

                                  91fb37bde9087d15e2b0e82f4910846df71b0df7ea3c1624357f215bfee606653a58da361051250db610c1a0d87d6b321d5daab872400c28d8f60101db2b8e27

                                  Download Submit

                                • C:\odt\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  10c2b0af2cd4923f5277fb32081c17af

                                  SHA1

                                  e69f7c23361acca467549f06938e1d0c30db0f91

                                  SHA256

                                  7db924a34942b884521b8abf34e9d9deb477aaab141671a61bd5a8eb1374ad4a

                                  SHA512

                                  ab60ba7933353d4f700d4b09f180f45937a57506909150cdeefe593bd6e69c953fa3380711116853d063ac7b6731b3bc7fe95d578c39b1dc2a10ceafe9ca0db9

                                  Download Submit

                                • C:\odt\backup.exe
                                  Filesize

                                  72KB

                                  MD5

                                  10c2b0af2cd4923f5277fb32081c17af

                                  SHA1

                                  e69f7c23361acca467549f06938e1d0c30db0f91

                                  SHA256

                                  7db924a34942b884521b8abf34e9d9deb477aaab141671a61bd5a8eb1374ad4a

                                  SHA512

                                  ab60ba7933353d4f700d4b09f180f45937a57506909150cdeefe593bd6e69c953fa3380711116853d063ac7b6731b3bc7fe95d578c39b1dc2a10ceafe9ca0db9

                                  Download Submit