Analysis

  • max time kernel
    211s
  • max time network
    246s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 14:23

General

  • Target

    27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe

  • Size

    72KB

  • MD5

    00ef91b9925c158267e47d37a386d0f8

  • SHA1

    78a07403ee5d4af497e64613d6e6c57c70d78a9f

  • SHA256

    27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc

  • SHA512

    6c3810cd00310fc19b3dd2504f13174a822bca562b86ac039f0dc71af608d9ca6d1f88846542e9d35135ea77f48a8cfed5ae5ab6e303a75cc31d1ba8b14c704a

  • SSDEEP

    384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2s:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrP4

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
  • Disables RegEdit via registry modification 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe
    "C:\Users\Admin\AppData\Local\Temp\27fb6a480525d0916c7769c3d6b57779cd21ed1269d012362104772cae2162bc.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Users\Admin\AppData\Local\Temp\2703042586\backup.exe
      C:\Users\Admin\AppData\Local\Temp\2703042586\backup.exe C:\Users\Admin\AppData\Local\Temp\2703042586\
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\backup.exe
        \backup.exe \
        3⤵
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:5116
        • C:\odt\backup.exe
          C:\odt\backup.exe C:\odt\
          4⤵
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:3704
        • C:\PerfLogs\backup.exe
          C:\PerfLogs\backup.exe C:\PerfLogs\
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:3200
        • C:\Program Files\update.exe
          "C:\Program Files\update.exe" C:\Program Files\
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2688
          • C:\Program Files\7-Zip\backup.exe
            "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
            5⤵
            • Modifies visibility of file extensions in Explorer
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3084
            • C:\Program Files\7-Zip\Lang\backup.exe
              "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4588
          • C:\Program Files\Common Files\backup.exe
            "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
            5⤵
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3404
            • C:\Program Files\Common Files\DESIGNER\backup.exe
              "C:\Program Files\Common Files\DESIGNER\backup.exe" C:\Program Files\Common Files\DESIGNER\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4704
            • C:\Program Files\Common Files\microsoft shared\backup.exe
              "C:\Program Files\Common Files\microsoft shared\backup.exe" C:\Program Files\Common Files\microsoft shared\
              6⤵
              • Modifies visibility of file extensions in Explorer
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2312
              • C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe
                "C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe" C:\Program Files\Common Files\microsoft shared\ClickToRun\
                7⤵
                • Disables RegEdit via registry modification
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4068
              • C:\Program Files\Common Files\microsoft shared\ink\backup.exe
                "C:\Program Files\Common Files\microsoft shared\ink\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\
                7⤵
                • Modifies visibility of file extensions in Explorer
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3608
                • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\ar-SA\
                  8⤵
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:5044
                • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\bg-BG\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3720
                • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:384
                • C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\da-DK\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1764
                • C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\de-DE\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:3752
                • C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\el-GR\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:1424
                • C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-GB\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1008
                • C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\en-US\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:3764
                • C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-ES\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • System policy modification
                  PID:2940
                • C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\es-MX\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1132
                • C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\et-EE\
                  8⤵
                  • Disables RegEdit via registry modification
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2112
                • C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fi-FI\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:2848
                • C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\fr-CA\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-CA\
                  8⤵
                  • Modifies visibility of file extensions in Explorer
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1164
                • C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fr-FR\
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  PID:1628
                • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe
                  "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\update.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\
                  8⤵
                  • Drops file in Program Files directory
                  PID:432
                  • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    • System policy modification
                    PID:1580
                  • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\
                    9⤵
                    • Modifies visibility of file extensions in Explorer
                    • Disables RegEdit via registry modification
                    PID:4148
                  • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\System Restore.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\System Restore.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\
                    9⤵
                    • System policy modification
                    PID:1764
                  • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\
                    9⤵
                    • System policy modification
                    PID:3644
                  • C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\
                    9⤵
                      PID:5028
                  • C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\he-IL\
                    8⤵
                    • Disables RegEdit via registry modification
                    PID:2036
                  • C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hr-HR\
                    8⤵
                    • Modifies visibility of file extensions in Explorer
                    • System policy modification
                    PID:2244
                  • C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\microsoft shared\ink\hu-HU\
                    8⤵
                      PID:4328
                  • C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\
                    7⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    PID:4060
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\update.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\update.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:4684
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:1700
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • System policy modification
                      PID:3284
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\
                      8⤵
                      • System policy modification
                      PID:2832
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      • Disables RegEdit via registry modification
                      PID:1976
                    • C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\
                      8⤵
                      • System policy modification
                      PID:4660
                  • C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\OFFICE16\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\
                    7⤵
                    • Disables RegEdit via registry modification
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of SetWindowsHookEx
                    PID:4304
                    • C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\backup.exe" C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\
                      8⤵
                      • Modifies visibility of file extensions in Explorer
                      PID:1552
                  • C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
                    "C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
                    7⤵
                      PID:3912
                    • C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files\Common Files\microsoft shared\Source Engine\
                      7⤵
                      • Disables RegEdit via registry modification
                      PID:1068
                    • C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files\Common Files\microsoft shared\Stationery\
                      7⤵
                      • Modifies visibility of file extensions in Explorer
                      PID:544
                    • C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe
                      "C:\Program Files\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\
                      7⤵
                      • Modifies visibility of file extensions in Explorer
                      PID:2820
                      • C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe
                        "C:\Program Files\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\microsoft shared\TextConv\en-US\
                        8⤵
                          PID:1928
                    • C:\Program Files\Common Files\Services\backup.exe
                      "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
                      6⤵
                      • Disables RegEdit via registry modification
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:3128
                    • C:\Program Files\Common Files\System\backup.exe
                      "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
                      6⤵
                      • Modifies visibility of file extensions in Explorer
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of SetWindowsHookEx
                      PID:4688
                      • C:\Program Files\Common Files\System\ado\System Restore.exe
                        "C:\Program Files\Common Files\System\ado\System Restore.exe" C:\Program Files\Common Files\System\ado\
                        7⤵
                        • Disables RegEdit via registry modification
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        PID:1752
                        • C:\Program Files\Common Files\System\ado\de-DE\backup.exe
                          "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
                          8⤵
                          • Disables RegEdit via registry modification
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:4828
                        • C:\Program Files\Common Files\System\ado\en-US\backup.exe
                          "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
                          8⤵
                            PID:4176
                          • C:\Program Files\Common Files\System\ado\es-ES\data.exe
                            "C:\Program Files\Common Files\System\ado\es-ES\data.exe" C:\Program Files\Common Files\System\ado\es-ES\
                            8⤵
                            • Modifies visibility of file extensions in Explorer
                            PID:2440
                          • C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
                            "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
                            8⤵
                              PID:316
                            • C:\Program Files\Common Files\System\ado\it-IT\backup.exe
                              "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
                              8⤵
                              • Modifies visibility of file extensions in Explorer
                              • Disables RegEdit via registry modification
                              PID:4172
                            • C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
                              "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
                              8⤵
                                PID:4304
                            • C:\Program Files\Common Files\System\de-DE\backup.exe
                              "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
                              7⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              • System policy modification
                              PID:4608
                            • C:\Program Files\Common Files\System\en-US\backup.exe
                              "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
                              7⤵
                                PID:2524
                              • C:\Program Files\Common Files\System\es-ES\backup.exe
                                "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
                                7⤵
                                • Disables RegEdit via registry modification
                                PID:4784
                              • C:\Program Files\Common Files\System\fr-FR\backup.exe
                                "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
                                7⤵
                                • Disables RegEdit via registry modification
                                • System policy modification
                                PID:4336
                              • C:\Program Files\Common Files\System\it-IT\update.exe
                                "C:\Program Files\Common Files\System\it-IT\update.exe" C:\Program Files\Common Files\System\it-IT\
                                7⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • System policy modification
                                PID:2648
                              • C:\Program Files\Common Files\System\ja-JP\backup.exe
                                "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
                                7⤵
                                  PID:212
                            • C:\Program Files\Google\backup.exe
                              "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
                              5⤵
                              • Modifies visibility of file extensions in Explorer
                              • Disables RegEdit via registry modification
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious use of SetWindowsHookEx
                              • System policy modification
                              PID:4040
                              • C:\Program Files\Google\Chrome\backup.exe
                                "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
                                6⤵
                                • Modifies visibility of file extensions in Explorer
                                • Disables RegEdit via registry modification
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                • System policy modification
                                PID:2252
                                • C:\Program Files\Google\Chrome\Application\data.exe
                                  "C:\Program Files\Google\Chrome\Application\data.exe" C:\Program Files\Google\Chrome\Application\
                                  7⤵
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  PID:920
                                  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\System Restore.exe
                                    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
                                    8⤵
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:5072
                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\System Restore.exe
                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
                                      9⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Disables RegEdit via registry modification
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      • System policy modification
                                      PID:4416
                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe
                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\data.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
                                      9⤵
                                      • Modifies visibility of file extensions in Explorer
                                      PID:1888
                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\System Restore.exe
                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\System Restore.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
                                      9⤵
                                      • System policy modification
                                      PID:4704
                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
                                      9⤵
                                      • System policy modification
                                      PID:4348
                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
                                      9⤵
                                        PID:4396
                                    • C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
                                      "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
                                      8⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4324
                              • C:\Program Files\Internet Explorer\backup.exe
                                "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
                                5⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious use of SetWindowsHookEx
                                PID:208
                                • C:\Program Files\Internet Explorer\de-DE\System Restore.exe
                                  "C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
                                  6⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  • System policy modification
                                  PID:1216
                                • C:\Program Files\Internet Explorer\en-US\backup.exe
                                  "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
                                  6⤵
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  • System policy modification
                                  PID:2700
                                • C:\Program Files\Internet Explorer\es-ES\backup.exe
                                  "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
                                  6⤵
                                  • System policy modification
                                  PID:4792
                                • C:\Program Files\Internet Explorer\fr-FR\backup.exe
                                  "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
                                  6⤵
                                  • System policy modification
                                  PID:4940
                                • C:\Program Files\Internet Explorer\images\backup.exe
                                  "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
                                  6⤵
                                  • Modifies visibility of file extensions in Explorer
                                  PID:3936
                                • C:\Program Files\Internet Explorer\it-IT\update.exe
                                  "C:\Program Files\Internet Explorer\it-IT\update.exe" C:\Program Files\Internet Explorer\it-IT\
                                  6⤵
                                  • Disables RegEdit via registry modification
                                  • System policy modification
                                  PID:3336
                                • C:\Program Files\Internet Explorer\ja-JP\backup.exe
                                  "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
                                  6⤵
                                    PID:2848
                                • C:\Program Files\Java\backup.exe
                                  "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
                                  5⤵
                                  • Modifies visibility of file extensions in Explorer
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • Suspicious use of SetWindowsHookEx
                                  • System policy modification
                                  PID:5000
                                  • C:\Program Files\Java\jdk1.8.0_66\backup.exe
                                    "C:\Program Files\Java\jdk1.8.0_66\backup.exe" C:\Program Files\Java\jdk1.8.0_66\
                                    6⤵
                                    • Modifies visibility of file extensions in Explorer
                                    PID:2288
                                    • C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe
                                      "C:\Program Files\Java\jdk1.8.0_66\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\bin\
                                      7⤵
                                      • Disables RegEdit via registry modification
                                      PID:4020
                                    • C:\Program Files\Java\jdk1.8.0_66\db\backup.exe
                                      "C:\Program Files\Java\jdk1.8.0_66\db\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\
                                      7⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Drops file in Program Files directory
                                      • System policy modification
                                      PID:1680
                                      • C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe
                                        "C:\Program Files\Java\jdk1.8.0_66\db\bin\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\bin\
                                        8⤵
                                        • Disables RegEdit via registry modification
                                        PID:1592
                                      • C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe
                                        "C:\Program Files\Java\jdk1.8.0_66\db\lib\backup.exe" C:\Program Files\Java\jdk1.8.0_66\db\lib\
                                        8⤵
                                          PID:680
                                    • C:\Program Files\Java\jre1.8.0_66\backup.exe
                                      "C:\Program Files\Java\jre1.8.0_66\backup.exe" C:\Program Files\Java\jre1.8.0_66\
                                      6⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Drops file in Program Files directory
                                      • System policy modification
                                      PID:1692
                                      • C:\Program Files\Java\jre1.8.0_66\bin\backup.exe
                                        "C:\Program Files\Java\jre1.8.0_66\bin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\
                                        7⤵
                                        • Modifies visibility of file extensions in Explorer
                                        • Disables RegEdit via registry modification
                                        PID:1208
                                        • C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe
                                          "C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\backup.exe" C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\
                                          8⤵
                                            PID:4408
                                    • C:\Program Files\Microsoft Office\backup.exe
                                      "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
                                      5⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Disables RegEdit via registry modification
                                      • System policy modification
                                      PID:1412
                                      • C:\Program Files\Microsoft Office\Office16\backup.exe
                                        "C:\Program Files\Microsoft Office\Office16\backup.exe" C:\Program Files\Microsoft Office\Office16\
                                        6⤵
                                        • Modifies visibility of file extensions in Explorer
                                        PID:3496
                                      • C:\Program Files\Microsoft Office\PackageManifests\backup.exe
                                        "C:\Program Files\Microsoft Office\PackageManifests\backup.exe" C:\Program Files\Microsoft Office\PackageManifests\
                                        6⤵
                                          PID:1060
                                    • C:\Program Files (x86)\data.exe
                                      "C:\Program Files (x86)\data.exe" C:\Program Files (x86)\
                                      4⤵
                                      • Modifies visibility of file extensions in Explorer
                                      • Executes dropped EXE
                                      • Drops file in Program Files directory
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4920
                                      • C:\Program Files (x86)\Adobe\backup.exe
                                        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
                                        5⤵
                                        • Modifies visibility of file extensions in Explorer
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        • System policy modification
                                        PID:4228
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\
                                          6⤵
                                          • Modifies visibility of file extensions in Explorer
                                          • Disables RegEdit via registry modification
                                          • Executes dropped EXE
                                          • Drops file in Program Files directory
                                          • Suspicious use of SetWindowsHookEx
                                          • System policy modification
                                          PID:5076
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
                                            7⤵
                                            • Disables RegEdit via registry modification
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:3488
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
                                            7⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            • Suspicious use of SetWindowsHookEx
                                            • System policy modification
                                            PID:1992
                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe
                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
                                              8⤵
                                                PID:2564
                                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe
                                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
                                                  9⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  • Disables RegEdit via registry modification
                                                  • System policy modification
                                                  PID:3180
                                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe
                                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\
                                                8⤵
                                                • Modifies visibility of file extensions in Explorer
                                                • Disables RegEdit via registry modification
                                                PID:3908
                                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe
                                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\
                                                  9⤵
                                                  • Disables RegEdit via registry modification
                                                  PID:5064
                                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe
                                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\
                                                8⤵
                                                  PID:4008
                                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe
                                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\
                                                7⤵
                                                • Modifies visibility of file extensions in Explorer
                                                • Drops file in Program Files directory
                                                PID:4184
                                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe
                                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\
                                                  8⤵
                                                  • Drops file in Program Files directory
                                                  PID:3376
                                          • C:\Program Files (x86)\Common Files\backup.exe
                                            "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
                                            5⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            • Suspicious use of SetWindowsHookEx
                                            PID:640
                                            • C:\Program Files (x86)\Common Files\Adobe\backup.exe
                                              "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
                                              6⤵
                                              • Modifies visibility of file extensions in Explorer
                                              • Disables RegEdit via registry modification
                                              • Drops file in Program Files directory
                                              PID:3384
                                              • C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
                                                "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
                                                7⤵
                                                • Modifies visibility of file extensions in Explorer
                                                • Disables RegEdit via registry modification
                                                PID:4924
                                              • C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe
                                                "C:\Program Files (x86)\Common Files\Adobe\ARM\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\
                                                7⤵
                                                • Modifies visibility of file extensions in Explorer
                                                • Disables RegEdit via registry modification
                                                • Drops file in Program Files directory
                                                PID:1708
                                                • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe
                                                  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\
                                                  8⤵
                                                  • Disables RegEdit via registry modification
                                                  PID:1020
                                              • C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe
                                                "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\
                                                7⤵
                                                  PID:1248
                                                  • C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe
                                                    "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\
                                                    8⤵
                                                    • Modifies visibility of file extensions in Explorer
                                                    • System policy modification
                                                    PID:4016
                                                • C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe
                                                  "C:\Program Files (x86)\Common Files\Adobe\Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Reader\
                                                  7⤵
                                                    PID:4824
                                                • C:\Program Files (x86)\Common Files\Java\backup.exe
                                                  "C:\Program Files (x86)\Common Files\Java\backup.exe" C:\Program Files (x86)\Common Files\Java\
                                                  6⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  • Disables RegEdit via registry modification
                                                  • Drops file in Program Files directory
                                                  • System policy modification
                                                  PID:4828
                                                  • C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe
                                                    "C:\Program Files (x86)\Common Files\Java\Java Update\backup.exe" C:\Program Files (x86)\Common Files\Java\Java Update\
                                                    7⤵
                                                      PID:3700
                                                • C:\Program Files (x86)\Google\backup.exe
                                                  "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
                                                  5⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  PID:5032
                                                  • C:\Program Files (x86)\Google\CrashReports\backup.exe
                                                    "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
                                                    6⤵
                                                      PID:3552
                                                • C:\Users\backup.exe
                                                  C:\Users\backup.exe C:\Users\
                                                  4⤵
                                                  • Modifies visibility of file extensions in Explorer
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  • System policy modification
                                                  PID:4716
                                                  • C:\Users\Admin\backup.exe
                                                    C:\Users\Admin\backup.exe C:\Users\Admin\
                                                    5⤵
                                                    • Modifies visibility of file extensions in Explorer
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3500
                                                    • C:\Users\Admin\3D Objects\backup.exe
                                                      "C:\Users\Admin\3D Objects\backup.exe" C:\Users\Admin\3D Objects\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:748
                                                    • C:\Users\Admin\Contacts\backup.exe
                                                      C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      PID:4900
                                                    • C:\Users\Admin\Desktop\backup.exe
                                                      C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      • Disables RegEdit via registry modification
                                                      PID:3464
                                                    • C:\Users\Admin\Documents\backup.exe
                                                      C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
                                                      6⤵
                                                      • Modifies visibility of file extensions in Explorer
                                                      • Disables RegEdit via registry modification
                                                      PID:400
                                                    • C:\Users\Admin\Downloads\backup.exe
                                                      C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
                                                      6⤵
                                                        PID:1260
                                                      • C:\Users\Admin\Favorites\backup.exe
                                                        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
                                                        6⤵
                                                          PID:3464
                                                        • C:\Users\Admin\Links\backup.exe
                                                          C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
                                                          6⤵
                                                            PID:5112
                                                        • C:\Users\Public\backup.exe
                                                          C:\Users\Public\backup.exe C:\Users\Public\
                                                          5⤵
                                                          • Disables RegEdit via registry modification
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1560
                                                          • C:\Users\Public\Documents\backup.exe
                                                            C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
                                                            6⤵
                                                            • Disables RegEdit via registry modification
                                                            • System policy modification
                                                            PID:1148
                                                          • C:\Users\Public\Downloads\data.exe
                                                            C:\Users\Public\Downloads\data.exe C:\Users\Public\Downloads\
                                                            6⤵
                                                            • Modifies visibility of file extensions in Explorer
                                                            PID:3576
                                                          • C:\Users\Public\Music\backup.exe
                                                            C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
                                                            6⤵
                                                              PID:3252
                                                            • C:\Users\Public\Pictures\backup.exe
                                                              C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
                                                              6⤵
                                                              • Disables RegEdit via registry modification
                                                              PID:2168
                                                        • C:\Windows\backup.exe
                                                          C:\Windows\backup.exe C:\Windows\
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • Drops file in Windows directory
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:384
                                                          • C:\Windows\addins\backup.exe
                                                            C:\Windows\addins\backup.exe C:\Windows\addins\
                                                            5⤵
                                                            • Disables RegEdit via registry modification
                                                            • Executes dropped EXE
                                                            • System policy modification
                                                            PID:4724
                                                          • C:\Windows\appcompat\backup.exe
                                                            C:\Windows\appcompat\backup.exe C:\Windows\appcompat\
                                                            5⤵
                                                            • Drops file in Windows directory
                                                            PID:3060
                                                            • C:\Windows\appcompat\appraiser\backup.exe
                                                              C:\Windows\appcompat\appraiser\backup.exe C:\Windows\appcompat\appraiser\
                                                              6⤵
                                                              • Drops file in Windows directory
                                                              • System policy modification
                                                              PID:5024
                                                              • C:\Windows\appcompat\appraiser\Telemetry\backup.exe
                                                                C:\Windows\appcompat\appraiser\Telemetry\backup.exe C:\Windows\appcompat\appraiser\Telemetry\
                                                                7⤵
                                                                • Modifies visibility of file extensions in Explorer
                                                                PID:1240
                                                            • C:\Windows\appcompat\encapsulation\backup.exe
                                                              C:\Windows\appcompat\encapsulation\backup.exe C:\Windows\appcompat\encapsulation\
                                                              6⤵
                                                              • Modifies visibility of file extensions in Explorer
                                                              • System policy modification
                                                              PID:3812
                                                            • C:\Windows\appcompat\Programs\backup.exe
                                                              C:\Windows\appcompat\Programs\backup.exe C:\Windows\appcompat\Programs\
                                                              6⤵
                                                                PID:1580
                                                            • C:\Windows\apppatch\backup.exe
                                                              C:\Windows\apppatch\backup.exe C:\Windows\apppatch\
                                                              5⤵
                                                              • Disables RegEdit via registry modification
                                                              • Drops file in Windows directory
                                                              PID:2580
                                                              • C:\Windows\apppatch\AppPatch64\backup.exe
                                                                C:\Windows\apppatch\AppPatch64\backup.exe C:\Windows\apppatch\AppPatch64\
                                                                6⤵
                                                                • Modifies visibility of file extensions in Explorer
                                                                • Disables RegEdit via registry modification
                                                                • System policy modification
                                                                PID:2620
                                                              • C:\Windows\apppatch\Custom\backup.exe
                                                                C:\Windows\apppatch\Custom\backup.exe C:\Windows\apppatch\Custom\
                                                                6⤵
                                                                  PID:4488
                                                        • C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
                                                          C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:3492
                                                        • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
                                                          C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
                                                          2⤵
                                                          • Disables RegEdit via registry modification
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          • System policy modification
                                                          PID:1160
                                                        • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
                                                          C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:3332
                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
                                                          2⤵
                                                          • Disables RegEdit via registry modification
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:3456
                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
                                                          2⤵
                                                          • Modifies visibility of file extensions in Explorer
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:4424
                                                        • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
                                                          C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1240

                                                      Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\PerfLogs\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        ccc0eb8a6475600cc50a7ba286fbae27

                                                        SHA1

                                                        1136239311df875de99a7e53a15083cb59f117a0

                                                        SHA256

                                                        52aeb0a3f646ac9e5dbe1c1017c990aa2227ce24ae1617c510460e500047d18a

                                                        SHA512

                                                        b9f034565787428ef8e1327cdaccfa2927df844c14419046379e20c400a01cc6a596d45f52cbd154784563017298c94b64de5c50d15b7300d3f41f1e06fd0160

                                                      • C:\PerfLogs\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        ccc0eb8a6475600cc50a7ba286fbae27

                                                        SHA1

                                                        1136239311df875de99a7e53a15083cb59f117a0

                                                        SHA256

                                                        52aeb0a3f646ac9e5dbe1c1017c990aa2227ce24ae1617c510460e500047d18a

                                                        SHA512

                                                        b9f034565787428ef8e1327cdaccfa2927df844c14419046379e20c400a01cc6a596d45f52cbd154784563017298c94b64de5c50d15b7300d3f41f1e06fd0160

                                                      • C:\Program Files (x86)\data.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        46c1055b4afb6659b4fd9a5b7c40ce43

                                                        SHA1

                                                        d93aaab3b7347a49a9571595be444e8eb187c659

                                                        SHA256

                                                        bb51fc63ba2926fdac2bdef54d814bc80ec96b60e72153415b8d02eeda40bb53

                                                        SHA512

                                                        aea590f5fcad12cdf6f43c8544c6e2bbdfefd24cf84cbea7ae61e099801008900ceae83e04f2821a8ba3207b84fee8f9464353408797adcb1d6ab0fc3a19f89f

                                                      • C:\Program Files (x86)\data.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        46c1055b4afb6659b4fd9a5b7c40ce43

                                                        SHA1

                                                        d93aaab3b7347a49a9571595be444e8eb187c659

                                                        SHA256

                                                        bb51fc63ba2926fdac2bdef54d814bc80ec96b60e72153415b8d02eeda40bb53

                                                        SHA512

                                                        aea590f5fcad12cdf6f43c8544c6e2bbdfefd24cf84cbea7ae61e099801008900ceae83e04f2821a8ba3207b84fee8f9464353408797adcb1d6ab0fc3a19f89f

                                                      • C:\Program Files\7-Zip\Lang\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        9e20d3a8d6757a781f6c34e667c13243

                                                        SHA1

                                                        6a3426f9bd752409e1142c7ac9b3801836f4aef4

                                                        SHA256

                                                        e694682f6ee23b098a4fdae45690cd614fbfd4e4fe6b7f03c825fe98eff26a31

                                                        SHA512

                                                        8bb33af72ec62560fdfe75f95d75dddcf5fa22317724766430a33f4537e2dafbb005038a745219cabce98ae54394b4857bac2b69f099dec3b44723cd19cf41f3

                                                      • C:\Program Files\7-Zip\Lang\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        9e20d3a8d6757a781f6c34e667c13243

                                                        SHA1

                                                        6a3426f9bd752409e1142c7ac9b3801836f4aef4

                                                        SHA256

                                                        e694682f6ee23b098a4fdae45690cd614fbfd4e4fe6b7f03c825fe98eff26a31

                                                        SHA512

                                                        8bb33af72ec62560fdfe75f95d75dddcf5fa22317724766430a33f4537e2dafbb005038a745219cabce98ae54394b4857bac2b69f099dec3b44723cd19cf41f3

                                                      • C:\Program Files\7-Zip\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        c20fa1e79c15d56cde9481cd6142236b

                                                        SHA1

                                                        0df3431fc1fe4036bd84a095a9e89907f5210ddd

                                                        SHA256

                                                        63ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9

                                                        SHA512

                                                        85b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6

                                                      • C:\Program Files\7-Zip\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        c20fa1e79c15d56cde9481cd6142236b

                                                        SHA1

                                                        0df3431fc1fe4036bd84a095a9e89907f5210ddd

                                                        SHA256

                                                        63ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9

                                                        SHA512

                                                        85b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6

                                                      • C:\Program Files\Common Files\DESIGNER\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        52f9009ff23e357b46334b33db1ddd59

                                                        SHA1

                                                        4195a05d5341a1f6833a08c68189be2572d852e3

                                                        SHA256

                                                        5716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57

                                                        SHA512

                                                        e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428

                                                      • C:\Program Files\Common Files\DESIGNER\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        52f9009ff23e357b46334b33db1ddd59

                                                        SHA1

                                                        4195a05d5341a1f6833a08c68189be2572d852e3

                                                        SHA256

                                                        5716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57

                                                        SHA512

                                                        e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428

                                                      • C:\Program Files\Common Files\Services\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        484df5478f483699849e9ab58f7696b8

                                                        SHA1

                                                        9127c73b426f13ad47cb53a0aeb4d2b1f279633d

                                                        SHA256

                                                        60491a6d69e742e75f41b031086a21125d15eba637e26430a0105d4445f11277

                                                        SHA512

                                                        a2f6718f81ff9605610bb874188697b7de74ab067933b2a4e9f5172d9b4ace54829a7d9e8858195e6af7c5550677c8bc67f3db37975f94bb562c665dc041f2b5

                                                      • C:\Program Files\Common Files\Services\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        484df5478f483699849e9ab58f7696b8

                                                        SHA1

                                                        9127c73b426f13ad47cb53a0aeb4d2b1f279633d

                                                        SHA256

                                                        60491a6d69e742e75f41b031086a21125d15eba637e26430a0105d4445f11277

                                                        SHA512

                                                        a2f6718f81ff9605610bb874188697b7de74ab067933b2a4e9f5172d9b4ace54829a7d9e8858195e6af7c5550677c8bc67f3db37975f94bb562c665dc041f2b5

                                                      • C:\Program Files\Common Files\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        c20fa1e79c15d56cde9481cd6142236b

                                                        SHA1

                                                        0df3431fc1fe4036bd84a095a9e89907f5210ddd

                                                        SHA256

                                                        63ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9

                                                        SHA512

                                                        85b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6

                                                      • C:\Program Files\Common Files\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        c20fa1e79c15d56cde9481cd6142236b

                                                        SHA1

                                                        0df3431fc1fe4036bd84a095a9e89907f5210ddd

                                                        SHA256

                                                        63ddba82e405288c127942f12a004d47d28c9d27390314971964abb4e49e9ae9

                                                        SHA512

                                                        85b4ecaca68bd9d55b7d8ff35828cc3ac4133cc9daac4c02cd70eed7cba3fc8582cf15c419a9b9b514923179cd5f138520f1506ab8e56a5c30b53ab3fe4197f6

                                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        aa5ddfd60e4f4fe5ec3772f418298c24

                                                        SHA1

                                                        8b801359dca05ebb5204ba02a344302f535b8873

                                                        SHA256

                                                        9e5edbaf092b739e4a3280fa8fc0d6434cbd3bf52e519e041ef499b0f9624f77

                                                        SHA512

                                                        3b49b971757b1709fa70486da5533272088ab933b1e7a556dc4c2c753befdaa61c6f8e1034ec1251ed7fbef6fb55fea569baee30e54c473653a1905f65ab6ecd

                                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        aa5ddfd60e4f4fe5ec3772f418298c24

                                                        SHA1

                                                        8b801359dca05ebb5204ba02a344302f535b8873

                                                        SHA256

                                                        9e5edbaf092b739e4a3280fa8fc0d6434cbd3bf52e519e041ef499b0f9624f77

                                                        SHA512

                                                        3b49b971757b1709fa70486da5533272088ab933b1e7a556dc4c2c753befdaa61c6f8e1034ec1251ed7fbef6fb55fea569baee30e54c473653a1905f65ab6ecd

                                                      • C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        0d540cded8a68aba304dc3b490d72487

                                                        SHA1

                                                        38ffaedbc90338a6b13697b007399ed42f3d73c3

                                                        SHA256

                                                        3b620129f4c09dd3dfa28e7a7f9c0512c14bbe00bd69d7f35ec80052edb650cb

                                                        SHA512

                                                        3751e2fadb7ec1ef508149d34c75829e31b3f813fb552170d59ddcaa6679dcc4ff650ab1d00a1dac199016b5d016bc6b38c0797cb6a15dd2ba9d3d64545e548a

                                                      • C:\Program Files\Common Files\microsoft shared\MSInfo\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        0d540cded8a68aba304dc3b490d72487

                                                        SHA1

                                                        38ffaedbc90338a6b13697b007399ed42f3d73c3

                                                        SHA256

                                                        3b620129f4c09dd3dfa28e7a7f9c0512c14bbe00bd69d7f35ec80052edb650cb

                                                        SHA512

                                                        3751e2fadb7ec1ef508149d34c75829e31b3f813fb552170d59ddcaa6679dcc4ff650ab1d00a1dac199016b5d016bc6b38c0797cb6a15dd2ba9d3d64545e548a

                                                      • C:\Program Files\Common Files\microsoft shared\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        52f9009ff23e357b46334b33db1ddd59

                                                        SHA1

                                                        4195a05d5341a1f6833a08c68189be2572d852e3

                                                        SHA256

                                                        5716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57

                                                        SHA512

                                                        e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428

                                                      • C:\Program Files\Common Files\microsoft shared\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        52f9009ff23e357b46334b33db1ddd59

                                                        SHA1

                                                        4195a05d5341a1f6833a08c68189be2572d852e3

                                                        SHA256

                                                        5716f69ea07deca625979708da6bcc740e6179043374a2d0441edc4e720a7f57

                                                        SHA512

                                                        e3cc5e12f34a21c053bb86f0bf7bfd3ed5c285fc11ecc4eef372e68d4b9ed1294fa94cf05b4845722075b25e1e7fbc052729e5351357f59a80de1fddd1403428

                                                      • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        b8c80d26252a60df64768062a8a2c9db

                                                        SHA1

                                                        f525787e8ec5dbea789b8f1cb34882b99870de91

                                                        SHA256

                                                        7fe1b3e66d650a5940f123a88e79aee8b1da8c568425c01bb34b90ddfed5030d

                                                        SHA512

                                                        d9f3c854565cbf705e462a146f0f70fffa005b6b8555c7ea2179dffdf50265ee664afbcc2e6d59447e7a8a063d28405c41ce6c1b0d2f0d53c5442c901fc0985b

                                                      • C:\Program Files\Common Files\microsoft shared\ink\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        b8c80d26252a60df64768062a8a2c9db

                                                        SHA1

                                                        f525787e8ec5dbea789b8f1cb34882b99870de91

                                                        SHA256

                                                        7fe1b3e66d650a5940f123a88e79aee8b1da8c568425c01bb34b90ddfed5030d

                                                        SHA512

                                                        d9f3c854565cbf705e462a146f0f70fffa005b6b8555c7ea2179dffdf50265ee664afbcc2e6d59447e7a8a063d28405c41ce6c1b0d2f0d53c5442c901fc0985b

                                                      • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\da-DK\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        32f3ab6808c80f8f8e928ac166da9447

                                                        SHA1

                                                        44749befd79e4ab20f6641478df21dc4710d7f4d

                                                        SHA256

                                                        217a4b768bf513f9be03a8f6554b19267bfdd574a96074ee7ae48f5436cd610e

                                                        SHA512

                                                        96b96c960443fb895842ddc735af3f20634130b1ac31afe66ef1e672fc69859af26909fb12f00cb1fce8946da7328a37adeb41fac8edb587080b086b7d4c5c6c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        606ee3a69609e29990a827b5b14b1ce6

                                                        SHA1

                                                        8f2fb654af6753454b76aabf5acf6a2068d3fc84

                                                        SHA256

                                                        4d151b8752b29ce43ac2e7477b26e41935e13c472462b8ccb6fc9484d780454b

                                                        SHA512

                                                        98171048cff70d6f9e7cd1873f36a7d55fa9d4df2266aac24b66421888c5ec17329a6843008bebabec0ae7d7db9629b61877924704cee7f8267e71bc8e129aad

                                                      • C:\Program Files\Common Files\microsoft shared\ink\de-DE\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        606ee3a69609e29990a827b5b14b1ce6

                                                        SHA1

                                                        8f2fb654af6753454b76aabf5acf6a2068d3fc84

                                                        SHA256

                                                        4d151b8752b29ce43ac2e7477b26e41935e13c472462b8ccb6fc9484d780454b

                                                        SHA512

                                                        98171048cff70d6f9e7cd1873f36a7d55fa9d4df2266aac24b66421888c5ec17329a6843008bebabec0ae7d7db9629b61877924704cee7f8267e71bc8e129aad

                                                      • C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        bb718ac6898162441d7e15273adea0e3

                                                        SHA1

                                                        1fb24717435ec7cdf271353d025edd18bc793101

                                                        SHA256

                                                        c24ded322b5b7157c19e6da10b49ee661911800bef0f0b1e92a05f6e40747ecb

                                                        SHA512

                                                        d7252dc2ccf3fab5c9f2d13eae771981b21a9ea301b3fae085a6d34855f99eb71e611f5c196377db8ba7de368952caf6d5f5e0a558ac5ad90b44f61f31fb2c5d

                                                      • C:\Program Files\Common Files\microsoft shared\ink\el-GR\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        bb718ac6898162441d7e15273adea0e3

                                                        SHA1

                                                        1fb24717435ec7cdf271353d025edd18bc793101

                                                        SHA256

                                                        c24ded322b5b7157c19e6da10b49ee661911800bef0f0b1e92a05f6e40747ecb

                                                        SHA512

                                                        d7252dc2ccf3fab5c9f2d13eae771981b21a9ea301b3fae085a6d34855f99eb71e611f5c196377db8ba7de368952caf6d5f5e0a558ac5ad90b44f61f31fb2c5d

                                                      • C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        87acfc42cd1496548c4c771535ce7a47

                                                        SHA1

                                                        a73698806c9cad2a2f0e174fcf2629a8dc3361c1

                                                        SHA256

                                                        91d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b

                                                        SHA512

                                                        9978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79

                                                      • C:\Program Files\Common Files\microsoft shared\ink\en-GB\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        87acfc42cd1496548c4c771535ce7a47

                                                        SHA1

                                                        a73698806c9cad2a2f0e174fcf2629a8dc3361c1

                                                        SHA256

                                                        91d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b

                                                        SHA512

                                                        9978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79

                                                      • C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        87acfc42cd1496548c4c771535ce7a47

                                                        SHA1

                                                        a73698806c9cad2a2f0e174fcf2629a8dc3361c1

                                                        SHA256

                                                        91d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b

                                                        SHA512

                                                        9978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79

                                                      • C:\Program Files\Common Files\microsoft shared\ink\en-US\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        87acfc42cd1496548c4c771535ce7a47

                                                        SHA1

                                                        a73698806c9cad2a2f0e174fcf2629a8dc3361c1

                                                        SHA256

                                                        91d1f827dc3b2b55fa419933973b1a3f4ff009fc5bb268fd74c9c26d50b9488b

                                                        SHA512

                                                        9978aa4d8ff86d3b761834f991355d8d0759e5c4f7d5f016a83092d510efd4bc21d5ec51d5ad444d792d36322f0bc58b0318cf8a1441a36745152f0ddb6ebb79

                                                      • C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        24bcf3e4760ce581d9e6254344e03cab

                                                        SHA1

                                                        2c991746c3dfe9da3707564c09f69193ebf437ba

                                                        SHA256

                                                        0acf393065773903ad23492be216297a438d7738065ed3133f3105c9d3b0cd5c

                                                        SHA512

                                                        ee2e0d9f62231468bb19140d27ac4985ec21e5dc4920e96307a1d4b30da27ea03b8de32dcc46fc2a3a25d8893e2c800d6b615149b5fcf51f9a16ac715f773886

                                                      • C:\Program Files\Common Files\microsoft shared\ink\es-ES\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        24bcf3e4760ce581d9e6254344e03cab

                                                        SHA1

                                                        2c991746c3dfe9da3707564c09f69193ebf437ba

                                                        SHA256

                                                        0acf393065773903ad23492be216297a438d7738065ed3133f3105c9d3b0cd5c

                                                        SHA512

                                                        ee2e0d9f62231468bb19140d27ac4985ec21e5dc4920e96307a1d4b30da27ea03b8de32dcc46fc2a3a25d8893e2c800d6b615149b5fcf51f9a16ac715f773886

                                                      • C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        0e61ad423a852998befaf19b2e6f611c

                                                        SHA1

                                                        d7090ea27fdc6250756c3252a3db77f3ff82fb1e

                                                        SHA256

                                                        292f9c7b111bbb1f1450474778a0ea2adb56042627626675839ea9e1a0d66dce

                                                        SHA512

                                                        a081ed1376639f210ec32081d3d1aa63ec8c9b933b33bbb31236068bee701f216fc9ee90a4e98eede157bc16173d222da3255785a43474f5e1663c20d091037c

                                                      • C:\Program Files\Common Files\microsoft shared\ink\es-MX\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        0e61ad423a852998befaf19b2e6f611c

                                                        SHA1

                                                        d7090ea27fdc6250756c3252a3db77f3ff82fb1e

                                                        SHA256

                                                        292f9c7b111bbb1f1450474778a0ea2adb56042627626675839ea9e1a0d66dce

                                                        SHA512

                                                        a081ed1376639f210ec32081d3d1aa63ec8c9b933b33bbb31236068bee701f216fc9ee90a4e98eede157bc16173d222da3255785a43474f5e1663c20d091037c

                                                      • C:\Program Files\Google\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        a2d261fd47d2f3ab2186c0a7ecd6258a

                                                        SHA1

                                                        75af7f79d2d98633eb8ebaa04a7c7014591a1812

                                                        SHA256

                                                        dce20747d4997034587a96da32fefceca5650553552cc6df8c4a366d3ce2897c

                                                        SHA512

                                                        5f29a2a270d953852af9a04c16905c663693ae9bb2dfac4abfff6c748abe468236a12d3149a69807d6874c7e00e55002636be83f6752d44e5821b687dd32401f

                                                      • C:\Program Files\Google\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        a2d261fd47d2f3ab2186c0a7ecd6258a

                                                        SHA1

                                                        75af7f79d2d98633eb8ebaa04a7c7014591a1812

                                                        SHA256

                                                        dce20747d4997034587a96da32fefceca5650553552cc6df8c4a366d3ce2897c

                                                        SHA512

                                                        5f29a2a270d953852af9a04c16905c663693ae9bb2dfac4abfff6c748abe468236a12d3149a69807d6874c7e00e55002636be83f6752d44e5821b687dd32401f

                                                      • C:\Program Files\update.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        ca5ae795d0162707e396b62edb7fbd63

                                                        SHA1

                                                        c1cb80b026868f1681088c39cfc95e018abe2826

                                                        SHA256

                                                        d32468173f403627a76858b0cc5eba853cb2a6f7ec2d136738013d468c80addb

                                                        SHA512

                                                        18ebadcdd6e5ecb0eaa7055e33c49430debec40c31a68aa70210b8403f3fc21c7123b883bdf859f98ceb63f0d8032e19705e3844c4ff61258a5954a7770f6d4d

                                                      • C:\Program Files\update.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        ca5ae795d0162707e396b62edb7fbd63

                                                        SHA1

                                                        c1cb80b026868f1681088c39cfc95e018abe2826

                                                        SHA256

                                                        d32468173f403627a76858b0cc5eba853cb2a6f7ec2d136738013d468c80addb

                                                        SHA512

                                                        18ebadcdd6e5ecb0eaa7055e33c49430debec40c31a68aa70210b8403f3fc21c7123b883bdf859f98ceb63f0d8032e19705e3844c4ff61258a5954a7770f6d4d

                                                      • C:\Users\Admin\AppData\Local\Temp\2703042586\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        480dfbebc92aad2959acfea09196d3ff

                                                        SHA1

                                                        c0ac78961564df5c52980c90e93f6cf32dbb0e4c

                                                        SHA256

                                                        dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f

                                                        SHA512

                                                        51af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed

                                                      • C:\Users\Admin\AppData\Local\Temp\2703042586\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        480dfbebc92aad2959acfea09196d3ff

                                                        SHA1

                                                        c0ac78961564df5c52980c90e93f6cf32dbb0e4c

                                                        SHA256

                                                        dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f

                                                        SHA512

                                                        51af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed

                                                      • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        25459a08fc690fda510c7c93d7f26c1b

                                                        SHA1

                                                        196a8ac94481e4bcaa6a1996801002ace530e90c

                                                        SHA256

                                                        569c5eba73a0ca9c49f724c8625ff20b78992e08b0b6611989f7d5ea17cafec5

                                                        SHA512

                                                        6896a5c861c69891d39e0fb085227bba99f8d463185e39fd8712df0d1772b2e8fc892820b770fd9c7279199e36ea19d4c0f8eb936fecf045f76d5ba5a04f35f8

                                                      • C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        25459a08fc690fda510c7c93d7f26c1b

                                                        SHA1

                                                        196a8ac94481e4bcaa6a1996801002ace530e90c

                                                        SHA256

                                                        569c5eba73a0ca9c49f724c8625ff20b78992e08b0b6611989f7d5ea17cafec5

                                                        SHA512

                                                        6896a5c861c69891d39e0fb085227bba99f8d463185e39fd8712df0d1772b2e8fc892820b770fd9c7279199e36ea19d4c0f8eb936fecf045f76d5ba5a04f35f8

                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        8efecde0e3ba321781adf4286c959276

                                                        SHA1

                                                        da865f59f1104482ec31a81f48def125c3510a0d

                                                        SHA256

                                                        3c10d182bdb14ed08349b135edf0b3c64ba9adac88a4ce8acbe6e568b3b6a970

                                                        SHA512

                                                        dd3bef08cf7ff8b2f8052c6c437df40a6005c3899d19f0e368f52398999910841cc043f74b84147f8a6cc562c440bd7554eb42fedff9ace728ae3c6efd493733

                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        8efecde0e3ba321781adf4286c959276

                                                        SHA1

                                                        da865f59f1104482ec31a81f48def125c3510a0d

                                                        SHA256

                                                        3c10d182bdb14ed08349b135edf0b3c64ba9adac88a4ce8acbe6e568b3b6a970

                                                        SHA512

                                                        dd3bef08cf7ff8b2f8052c6c437df40a6005c3899d19f0e368f52398999910841cc043f74b84147f8a6cc562c440bd7554eb42fedff9ace728ae3c6efd493733

                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        e67803c94ebe0380e0b29bc7faeab656

                                                        SHA1

                                                        550872a00ef6d5c77018883e4ff72d41ac824bf8

                                                        SHA256

                                                        3e02e365b922213d7ee728d935f46d0a2b5f13cd4ee51c0c0f58d688f4b2de52

                                                        SHA512

                                                        c11d261d862301b0d2d2cb6a9bbf9e2864c310199515a8839004c3cad5c439cd1e7344760f64706960b624d2bec886804e2144f103d88f43076f774ee0e37a4f

                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\update.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        e67803c94ebe0380e0b29bc7faeab656

                                                        SHA1

                                                        550872a00ef6d5c77018883e4ff72d41ac824bf8

                                                        SHA256

                                                        3e02e365b922213d7ee728d935f46d0a2b5f13cd4ee51c0c0f58d688f4b2de52

                                                        SHA512

                                                        c11d261d862301b0d2d2cb6a9bbf9e2864c310199515a8839004c3cad5c439cd1e7344760f64706960b624d2bec886804e2144f103d88f43076f774ee0e37a4f

                                                      • C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        480dfbebc92aad2959acfea09196d3ff

                                                        SHA1

                                                        c0ac78961564df5c52980c90e93f6cf32dbb0e4c

                                                        SHA256

                                                        dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f

                                                        SHA512

                                                        51af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed

                                                      • C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        480dfbebc92aad2959acfea09196d3ff

                                                        SHA1

                                                        c0ac78961564df5c52980c90e93f6cf32dbb0e4c

                                                        SHA256

                                                        dfb44186ce0a20c4a9e5a3aee57ef965b31eae58aa0e8c0ba1879916fc32450f

                                                        SHA512

                                                        51af4f9c2234a5ab8481c2d99e62c132735adc20521c297fc42dbba81ec2b7d31587864741c3bd01867397de5358767170b55c69cf166881ea3b0a70dbef7aed

                                                      • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        e16a172f464e3b10a53237d16b827076

                                                        SHA1

                                                        bd9ea1324f344e2f8c2b766a3ecaa3704a5d3fe0

                                                        SHA256

                                                        d4108311c628300bf981d0b5bb3622349438134b5e990ffae9a7e9d194d6da5f

                                                        SHA512

                                                        dc0c806a8150daca1e9c64ca7fecf72ed66135d98c650af71809c597d17d71d31b053bc998b49b7f5405c635d19191ba3f48aae38404eeb39f77fee615387c09

                                                      • C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        e16a172f464e3b10a53237d16b827076

                                                        SHA1

                                                        bd9ea1324f344e2f8c2b766a3ecaa3704a5d3fe0

                                                        SHA256

                                                        d4108311c628300bf981d0b5bb3622349438134b5e990ffae9a7e9d194d6da5f

                                                        SHA512

                                                        dc0c806a8150daca1e9c64ca7fecf72ed66135d98c650af71809c597d17d71d31b053bc998b49b7f5405c635d19191ba3f48aae38404eeb39f77fee615387c09

                                                      • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        9baad756860e911db69f4b2e26cc10bd

                                                        SHA1

                                                        e1b4f33d9028e3311a5105599a1d0b8acd678152

                                                        SHA256

                                                        f154902c9f78ebec38b9aeb95371591e6f398f71191e9abc5084cd68a7238cd0

                                                        SHA512

                                                        afbe604f094b691faf504d7fdb1ee9d0d9b7665e67aced3641fa6df88e7d13bc04d62cbc1700474c3b741840208f558b52f3c1219a70b5a68889a29a5a7b61bc

                                                      • C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        9baad756860e911db69f4b2e26cc10bd

                                                        SHA1

                                                        e1b4f33d9028e3311a5105599a1d0b8acd678152

                                                        SHA256

                                                        f154902c9f78ebec38b9aeb95371591e6f398f71191e9abc5084cd68a7238cd0

                                                        SHA512

                                                        afbe604f094b691faf504d7fdb1ee9d0d9b7665e67aced3641fa6df88e7d13bc04d62cbc1700474c3b741840208f558b52f3c1219a70b5a68889a29a5a7b61bc

                                                      • C:\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        34fdf3db941ccd5a4f2380674c9281fa

                                                        SHA1

                                                        23d21718bc4322f0ce2043a1e81edc83a26deec3

                                                        SHA256

                                                        935b37af06b0d6bd30e12843b2df1ff9978fb60cceb17e8adfe35dc7a35964e0

                                                        SHA512

                                                        7ae2204a1418227e2f80f95f79bf789c2dbf6f573690cb51766219fcf7e649442d7941f7f856d47f1e91288a153d544dc936d5749a0769dd77e765807a7db1a0

                                                      • C:\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        34fdf3db941ccd5a4f2380674c9281fa

                                                        SHA1

                                                        23d21718bc4322f0ce2043a1e81edc83a26deec3

                                                        SHA256

                                                        935b37af06b0d6bd30e12843b2df1ff9978fb60cceb17e8adfe35dc7a35964e0

                                                        SHA512

                                                        7ae2204a1418227e2f80f95f79bf789c2dbf6f573690cb51766219fcf7e649442d7941f7f856d47f1e91288a153d544dc936d5749a0769dd77e765807a7db1a0

                                                      • C:\odt\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        ea95d5f47bfcb43801febe40419b01b0

                                                        SHA1

                                                        5f0408528a8b2df64e206e9be96819777fbfe56e

                                                        SHA256

                                                        9273aa848ada8011526b393ab5ae9ff02a9124535616b0b4b4450be4ec5c4350

                                                        SHA512

                                                        6ef22dcd1372b9fec30fe9937891c920fbaf4254544f41241763fd786dfd3b10f2fd7d862e4461fff7da845c1016db73d48dd5953b539bb9956ef16f88e8c10f

                                                      • C:\odt\backup.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        ea95d5f47bfcb43801febe40419b01b0

                                                        SHA1

                                                        5f0408528a8b2df64e206e9be96819777fbfe56e

                                                        SHA256

                                                        9273aa848ada8011526b393ab5ae9ff02a9124535616b0b4b4450be4ec5c4350

                                                        SHA512

                                                        6ef22dcd1372b9fec30fe9937891c920fbaf4254544f41241763fd786dfd3b10f2fd7d862e4461fff7da845c1016db73d48dd5953b539bb9956ef16f88e8c10f

                                                      • memory/208-297-0x0000000000000000-mapping.dmp

                                                      • memory/384-346-0x0000000000000000-mapping.dmp

                                                      • memory/384-234-0x0000000000000000-mapping.dmp

                                                      • memory/640-348-0x0000000000000000-mapping.dmp

                                                      • memory/748-355-0x0000000000000000-mapping.dmp

                                                      • memory/920-306-0x0000000000000000-mapping.dmp

                                                      • memory/1008-254-0x0000000000000000-mapping.dmp

                                                      • memory/1132-285-0x0000000000000000-mapping.dmp

                                                      • memory/1160-146-0x0000000000000000-mapping.dmp

                                                      • memory/1164-328-0x0000000000000000-mapping.dmp

                                                      • memory/1216-326-0x0000000000000000-mapping.dmp

                                                      • memory/1240-179-0x0000000000000000-mapping.dmp

                                                      • memory/1424-249-0x0000000000000000-mapping.dmp

                                                      • memory/1560-354-0x0000000000000000-mapping.dmp

                                                      • memory/1628-347-0x0000000000000000-mapping.dmp

                                                      • memory/1700-324-0x0000000000000000-mapping.dmp

                                                      • memory/1752-329-0x0000000000000000-mapping.dmp

                                                      • memory/1764-239-0x0000000000000000-mapping.dmp

                                                      • memory/1992-349-0x0000000000000000-mapping.dmp

                                                      • memory/2112-300-0x0000000000000000-mapping.dmp

                                                      • memory/2252-294-0x0000000000000000-mapping.dmp

                                                      • memory/2312-209-0x0000000000000000-mapping.dmp

                                                      • memory/2688-184-0x0000000000000000-mapping.dmp

                                                      • memory/2700-345-0x0000000000000000-mapping.dmp

                                                      • memory/2848-318-0x0000000000000000-mapping.dmp

                                                      • memory/2940-264-0x0000000000000000-mapping.dmp

                                                      • memory/3076-134-0x0000000000000000-mapping.dmp

                                                      • memory/3084-189-0x0000000000000000-mapping.dmp

                                                      • memory/3128-269-0x0000000000000000-mapping.dmp

                                                      • memory/3200-174-0x0000000000000000-mapping.dmp

                                                      • memory/3284-356-0x0000000000000000-mapping.dmp

                                                      • memory/3332-148-0x0000000000000000-mapping.dmp

                                                      • memory/3404-199-0x0000000000000000-mapping.dmp

                                                      • memory/3456-159-0x0000000000000000-mapping.dmp

                                                      • memory/3488-330-0x0000000000000000-mapping.dmp

                                                      • memory/3492-139-0x0000000000000000-mapping.dmp

                                                      • memory/3500-325-0x0000000000000000-mapping.dmp

                                                      • memory/3608-219-0x0000000000000000-mapping.dmp

                                                      • memory/3704-161-0x0000000000000000-mapping.dmp

                                                      • memory/3720-229-0x0000000000000000-mapping.dmp

                                                      • memory/3752-244-0x0000000000000000-mapping.dmp

                                                      • memory/3764-259-0x0000000000000000-mapping.dmp

                                                      • memory/4040-270-0x0000000000000000-mapping.dmp

                                                      • memory/4060-284-0x0000000000000000-mapping.dmp

                                                      • memory/4068-214-0x0000000000000000-mapping.dmp

                                                      • memory/4228-299-0x0000000000000000-mapping.dmp

                                                      • memory/4304-353-0x0000000000000000-mapping.dmp

                                                      • memory/4324-350-0x0000000000000000-mapping.dmp

                                                      • memory/4416-357-0x0000000000000000-mapping.dmp

                                                      • memory/4424-169-0x0000000000000000-mapping.dmp

                                                      • memory/4588-194-0x0000000000000000-mapping.dmp

                                                      • memory/4608-352-0x0000000000000000-mapping.dmp

                                                      • memory/4684-296-0x0000000000000000-mapping.dmp

                                                      • memory/4688-298-0x0000000000000000-mapping.dmp

                                                      • memory/4704-204-0x0000000000000000-mapping.dmp

                                                      • memory/4716-295-0x0000000000000000-mapping.dmp

                                                      • memory/4724-384-0x0000000000000000-mapping.dmp

                                                      • memory/4828-382-0x0000000000000000-mapping.dmp

                                                      • memory/4920-271-0x0000000000000000-mapping.dmp

                                                      • memory/5000-351-0x0000000000000000-mapping.dmp

                                                      • memory/5044-224-0x0000000000000000-mapping.dmp

                                                      • memory/5072-327-0x0000000000000000-mapping.dmp

                                                      • memory/5076-319-0x0000000000000000-mapping.dmp

                                                      • memory/5116-144-0x0000000000000000-mapping.dmp