b5c543a76ed1cd7ed735adbabcf73cb5bbd94593032d4b92754b1c2a673135cc

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
Size

84KB
MD5

ad4bd403c9db556a0269455379e0b8b0
SHA1

56bf2136fc9c28b095e67d581a7b697c8d5aee22
SHA256

b5c543a76ed1cd7ed735adbabcf73cb5bbd94593032d4b92754b1c2a673135cc
SHA512

a0ced6c59ce8edfa39b06771c8baedcc865182d42e685705c294811596bf2f0b1c831a6e0782e5e2664a80a095db3c74b175d03b4f6ef98908b48757404d1e1d
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmV:BeT7BVwxfvEFwjRV

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2348	backup.exe
2704	backup.exe
2916	backup.exe
2656	backup.exe
2540	backup.exe
2568	backup.exe
2536	update.exe
752	backup.exe
572	backup.exe
2856	backup.exe
956	backup.exe
940	backup.exe
912	backup.exe
1544	backup.exe
1584	backup.exe
2332	System Restore.exe
836	backup.exe
2032	backup.exe
988	data.exe
1684	backup.exe
1872	backup.exe
1284	backup.exe
1388	backup.exe
896	backup.exe
2224	backup.exe
2984	backup.exe
2636	backup.exe
2924	backup.exe
2732	backup.exe
2668	backup.exe
2828	backup.exe
2496	backup.exe
2424	data.exe
2564	backup.exe
2004	backup.exe
1160	backup.exe
1824	backup.exe
2852	backup.exe
2900	System Restore.exe
2176	backup.exe
1632	update.exe
1948	data.exe
2684	backup.exe
1648	backup.exe
1600	backup.exe
2840	backup.exe
2160	backup.exe
2144	System Restore.exe
2932	backup.exe
2352	backup.exe
2088	System Restore.exe
1944	backup.exe
1588	backup.exe
1876	backup.exe
1784	backup.exe
596	data.exe
2956	backup.exe
3032	backup.exe
860	backup.exe
2168	backup.exe
3028	backup.exe
2708	backup.exe
1680	backup.exe
2644	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
752	backup.exe
752	backup.exe
2536	update.exe
2536	update.exe
2536	update.exe
572	backup.exe
572	backup.exe
752	backup.exe
752	backup.exe
956	backup.exe
956	backup.exe
940	backup.exe
940	backup.exe
956	backup.exe
956	backup.exe
1544	backup.exe
1544	backup.exe
1584	backup.exe
1584	backup.exe
1584	backup.exe
1584	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
836	backup.exe
2732	backup.exe
2732	backup.exe
2732	backup.exe
2732	backup.exe
2732	backup.exe
2732	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0028000000016d01-5.dat	upx
behavioral1/memory/2348-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0028000000016d01-9.dat	upx
behavioral1/files/0x0028000000016d01-12.dat	upx
behavioral1/files/0x0028000000016d01-7.dat	upx
behavioral1/files/0x0007000000016d7a-17.dat	upx
behavioral1/files/0x0007000000016d7a-19.dat	upx
behavioral1/files/0x0007000000016d7a-23.dat	upx
behavioral1/memory/2704-29-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016dac-30.dat	upx
behavioral1/files/0x0008000000016dac-34.dat	upx
behavioral1/files/0x0008000000016dac-27.dat	upx
behavioral1/files/0x0008000000016da8-40.dat	upx
behavioral1/memory/2068-48-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016da8-47.dat	upx
behavioral1/files/0x0008000000016da8-42.dat	upx
behavioral1/memory/2656-54-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000018727-55.dat	upx
behavioral1/files/0x0005000000018727-59.dat	upx
behavioral1/files/0x0005000000018727-52.dat	upx
behavioral1/files/0x0011000000016d1d-64.dat	upx
behavioral1/files/0x0011000000016d1d-72.dat	upx
behavioral1/memory/2348-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2540-70-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0011000000016d1d-66.dat	upx
behavioral1/memory/2568-79-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000500000001873d-77.dat	upx
behavioral1/files/0x000500000001873d-81.dat	upx
behavioral1/files/0x000500000001873d-82.dat	upx
behavioral1/files/0x0028000000016d01-83.dat	upx
behavioral1/files/0x000b000000016e9b-90.dat	upx
behavioral1/memory/2916-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/752-95-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000b000000016e9b-96.dat	upx
behavioral1/files/0x0006000000018b13-98.dat	upx
behavioral1/files/0x0006000000018b13-100.dat	upx
behavioral1/files/0x0006000000018b13-104.dat	upx
behavioral1/files/0x000500000001873d-105.dat	upx
behavioral1/files/0x000500000001873d-106.dat	upx
behavioral1/files/0x000500000001873d-108.dat	upx
behavioral1/files/0x0006000000018b13-113.dat	upx
behavioral1/files/0x0006000000018b67-123.dat	upx
behavioral1/files/0x0006000000018b67-118.dat	upx
behavioral1/files/0x0006000000018b67-115.dat	upx
behavioral1/memory/2536-126-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2856-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000018b8f-138.dat	upx
behavioral1/memory/752-139-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000018b8f-134.dat	upx
behavioral1/memory/572-131-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000018b8f-129.dat	upx
behavioral1/files/0x0006000000018b8f-142.dat	upx
behavioral1/files/0x0008000000018b70-144.dat	upx
behavioral1/files/0x0008000000018b70-146.dat	upx
behavioral1/files/0x0008000000018b70-151.dat	upx
behavioral1/files/0x0008000000018b70-155.dat	upx
behavioral1/files/0x0006000000018ba8-157.dat	upx
behavioral1/files/0x0006000000018ba8-159.dat	upx
behavioral1/files/0x0006000000018ba8-164.dat	upx
behavioral1/files/0x00040000000192c9-174.dat	upx
behavioral1/files/0x00040000000192c9-172.dat	upx
behavioral1/memory/912-171-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00040000000192c9-178.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\update.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	update.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	update.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
2348	backup.exe
2704	backup.exe
2916	backup.exe
2656	backup.exe
2540	backup.exe
2568	backup.exe
752	backup.exe
572	backup.exe
2536	update.exe
2856	backup.exe
956	backup.exe
940	backup.exe
912	backup.exe
1544	backup.exe
1584	backup.exe
2332	System Restore.exe
836	backup.exe
2032	backup.exe
988	data.exe
1684	backup.exe
1872	backup.exe
1284	backup.exe
1388	backup.exe
896	backup.exe
2224	backup.exe
2984	backup.exe
2636	backup.exe
2924	backup.exe
2732	backup.exe
2668	backup.exe
2828	backup.exe
2496	backup.exe
2424	data.exe
2564	backup.exe
2004	backup.exe
1160	backup.exe
1824	backup.exe
2852	backup.exe
2900	System Restore.exe
2176	backup.exe
1632	update.exe
1948	data.exe
2684	backup.exe
1648	backup.exe
1600	backup.exe
2840	backup.exe
2160	backup.exe
2144	System Restore.exe
2932	backup.exe
2352	backup.exe
2088	System Restore.exe
1944	backup.exe
1588	backup.exe
1876	backup.exe
1784	backup.exe
596	data.exe
2956	backup.exe
3032	backup.exe
860	backup.exe
2168	backup.exe
3028	backup.exe
2708	backup.exe
1680	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2348	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	28
PID 2068 wrote to memory of 2348	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	28
PID 2068 wrote to memory of 2348	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	28
PID 2068 wrote to memory of 2348	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	28
PID 2068 wrote to memory of 2704	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	29
PID 2068 wrote to memory of 2704	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	29
PID 2068 wrote to memory of 2704	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	29
PID 2068 wrote to memory of 2704	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	29
PID 2068 wrote to memory of 2916	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	30
PID 2068 wrote to memory of 2916	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	30
PID 2068 wrote to memory of 2916	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	30
PID 2068 wrote to memory of 2916	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	30
PID 2068 wrote to memory of 2656	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	31
PID 2068 wrote to memory of 2656	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	31
PID 2068 wrote to memory of 2656	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	31
PID 2068 wrote to memory of 2656	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	31
PID 2068 wrote to memory of 2540	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	32
PID 2068 wrote to memory of 2540	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	32
PID 2068 wrote to memory of 2540	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	32
PID 2068 wrote to memory of 2540	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	32
PID 2068 wrote to memory of 2568	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	33
PID 2068 wrote to memory of 2568	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	33
PID 2068 wrote to memory of 2568	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	33
PID 2068 wrote to memory of 2568	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	33
PID 2068 wrote to memory of 2536	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	34
PID 2068 wrote to memory of 2536	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	34
PID 2068 wrote to memory of 2536	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	34
PID 2068 wrote to memory of 2536	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	34
PID 2068 wrote to memory of 2536	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	34
PID 2068 wrote to memory of 2536	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	34
PID 2068 wrote to memory of 2536	2068	NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe	34
PID 2348 wrote to memory of 752	2348	backup.exe	35
PID 2348 wrote to memory of 752	2348	backup.exe	35
PID 2348 wrote to memory of 752	2348	backup.exe	35
PID 2348 wrote to memory of 752	2348	backup.exe	35
PID 752 wrote to memory of 572	752	backup.exe	36
PID 752 wrote to memory of 572	752	backup.exe	36
PID 752 wrote to memory of 572	752	backup.exe	36
PID 752 wrote to memory of 572	752	backup.exe	36
PID 572 wrote to memory of 2856	572	backup.exe	37
PID 572 wrote to memory of 2856	572	backup.exe	37
PID 572 wrote to memory of 2856	572	backup.exe	37
PID 572 wrote to memory of 2856	572	backup.exe	37
PID 752 wrote to memory of 956	752	backup.exe	38
PID 752 wrote to memory of 956	752	backup.exe	38
PID 752 wrote to memory of 956	752	backup.exe	38
PID 752 wrote to memory of 956	752	backup.exe	38
PID 956 wrote to memory of 940	956	backup.exe	39
PID 956 wrote to memory of 940	956	backup.exe	39
PID 956 wrote to memory of 940	956	backup.exe	39
PID 956 wrote to memory of 940	956	backup.exe	39
PID 940 wrote to memory of 912	940	backup.exe	40
PID 940 wrote to memory of 912	940	backup.exe	40
PID 940 wrote to memory of 912	940	backup.exe	40
PID 940 wrote to memory of 912	940	backup.exe	40
PID 956 wrote to memory of 1544	956	backup.exe	41
PID 956 wrote to memory of 1544	956	backup.exe	41
PID 956 wrote to memory of 1544	956	backup.exe	41
PID 956 wrote to memory of 1544	956	backup.exe	41
PID 1544 wrote to memory of 1584	1544	backup.exe	42
PID 1544 wrote to memory of 1584	1544	backup.exe	42
PID 1544 wrote to memory of 1584	1544	backup.exe	42
PID 1544 wrote to memory of 1584	1544	backup.exe	42
PID 1584 wrote to memory of 2332	1584	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ad4bd403c9db556a0269455379e0b8b0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\819075410\backup.exe
  C:\Users\Admin\AppData\Local\Temp\819075410\backup.exe C:\Users\Admin\AppData\Local\Temp\819075410\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:956
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1544
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1684
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2732
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2900
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2644
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2912
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2656
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:2524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2544
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2820
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        System policy modification
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2480
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        System policy modification
        
        PID:2068
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        System policy modification
        
        PID:2792
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:1564
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2156
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1992
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1396
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:3036
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:280
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:892
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2804
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2412
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\data.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        System policy modification
        
        PID:1988
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        System policy modification
        
        PID:3044
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3052
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2640
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        System policy modification
        
        PID:2672
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:3012
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:1812
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2800
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1804
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        System policy modification
        
        PID:1964
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        System policy modification
        
        PID:564
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2212
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:984
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:3064
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2984
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2664
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:2572
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1452
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1324
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:2596
    - - C:\Program Files\DVD Maker\update.exe
        
        "C:\Program Files\DVD Maker\update.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2492
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:2568
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:2884
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2076
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1644
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2052
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1204
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2032
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1684
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        System policy modification
        
        PID:1236
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        
        PID:2984
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:2504
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2740
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:2040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2536
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1768
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:828
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1616
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2448
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:2992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:592
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2220
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        System policy modification
        
        PID:1140
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        System policy modification
        
        PID:992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:772
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:932
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:1552
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:936
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2676
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1640
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1236
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1572
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2764
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1248
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1460
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2424
      - C:\Program Files\Internet Explorer\images\data.exe
        
        "C:\Program Files\Internet Explorer\images\data.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:400
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1052
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2288
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2612
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:600
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1604
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:2004
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:1128
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        
        PID:2820
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:2372
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        
        PID:1112
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:1740
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:2496
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:2352
      - C:\Program Files\Microsoft Games\Minesweeper\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\System Restore.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:976
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2092
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:1696
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:3008
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:372
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:2980
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:392
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2800
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2784
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:840
    - - C:\Program Files\Windows Defender\System Restore.exe
        
        "C:\Program Files\Windows Defender\System Restore.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2548
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:2332
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:2308
    - - C:\Program Files (x86)\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:2724
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:2664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        System policy modification
        
        PID:2540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1060
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1868
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:2692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2060
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        Drops file in Program Files directory
        
        PID:592
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2784
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:2376
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2176
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:780
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:3028
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2100
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:3024
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        System policy modification
        
        PID:1816
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2892
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2204
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2324
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2576
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1160
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2044
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2556
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2088
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2544
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        System policy modification
        
        PID:1812
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:2868
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1600
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:1632
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:1692
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:912
      - C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
        6⤵
        
        PID:2652
      - C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\
        6⤵
        
        PID:2384
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\data.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\data.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        Drops file in Program Files directory
        
        PID:2692
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\update.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2512
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2276
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2584
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2760
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2388
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:1376
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1504
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:1964
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1860
      - C:\Users\Admin\Documents\update.exe
        
        C:\Users\Admin\Documents\update.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2144
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2224
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2536
      - C:\Users\Admin\Links\data.exe
        
        C:\Users\Admin\Links\data.exe C:\Users\Admin\Links\
        6⤵
        
        PID:892
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:2704
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2000
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1844
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2684
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1588
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:2728
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1508
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:896
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2780
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:860
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
b5896d250ab3722192a5b7670a14ef14

SHA1
6a7969f303f058949ccc6711acf1bc6789b858a8

SHA256
9c752bde7251657f148f0486fe9252787be88484dc567c0450dd3d241ea75130

SHA512
b1e0ae8a0e74eece14b782b5bd2f9d1b5825f9edf3212ed5ad9dfaabb03ba7f37a361e1a47c9467248af300c74a6d53ccd1689c70b9005920df3209a57a15ab6

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
770bbb14a056f36f70418401f596bf95

SHA1
e41b442ed279ccd5f0733233ceb4a0f6d49c4e81

SHA256
794026fb15f786a3392ebd43972fd3bc0333dbe4c9296e6709b1bfbaffc2122c

SHA512
ff46372be3463709057654bc5d2005a84dadd5c61012a38062483e0ad35169e00541a7a70490084b0beeb729389140aa0ae2133097044966dc4ae60e3ce7ed24

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
b5896d250ab3722192a5b7670a14ef14

SHA1
6a7969f303f058949ccc6711acf1bc6789b858a8

SHA256
9c752bde7251657f148f0486fe9252787be88484dc567c0450dd3d241ea75130

SHA512
b1e0ae8a0e74eece14b782b5bd2f9d1b5825f9edf3212ed5ad9dfaabb03ba7f37a361e1a47c9467248af300c74a6d53ccd1689c70b9005920df3209a57a15ab6

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
b5896d250ab3722192a5b7670a14ef14

SHA1
6a7969f303f058949ccc6711acf1bc6789b858a8

SHA256
9c752bde7251657f148f0486fe9252787be88484dc567c0450dd3d241ea75130

SHA512
b1e0ae8a0e74eece14b782b5bd2f9d1b5825f9edf3212ed5ad9dfaabb03ba7f37a361e1a47c9467248af300c74a6d53ccd1689c70b9005920df3209a57a15ab6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
84KB

MD5
cb0fa11ddb2787d21e25f70000c43777

SHA1
4a6e7b23943392e89e6867cb3244e94c991a3e14

SHA256
7b503b10f6014396065fa942775656a1a89256020edd9bc8946312e17da0a39e

SHA512
ec09718116e44a13679611302ec9d067ad8421ff6165c8c925ccb82eda5b97c5f90a8168696f693b0178ca73bedecc6a7ef656448c91320a090d04fbe98a080a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
3b1767ce20dace8a9fbed640b9165154

SHA1
e17490acd61d275a61126a34a92caf6602f6dd5c

SHA256
e960bf60c8b3fb8de7984496376287eb0ebacad8fc51454ebf4eaf13709b2d32

SHA512
fe9a9977e2cee00de36470b21e8685067342cd3d127f5f9a7e0b56ebf83ae10fa28a3a0ae04e76620dd20fa1d879b59b73fd76696b229a35637c867d04c3b2ad

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
3b1767ce20dace8a9fbed640b9165154

SHA1
e17490acd61d275a61126a34a92caf6602f6dd5c

SHA256
e960bf60c8b3fb8de7984496376287eb0ebacad8fc51454ebf4eaf13709b2d32

SHA512
fe9a9977e2cee00de36470b21e8685067342cd3d127f5f9a7e0b56ebf83ae10fa28a3a0ae04e76620dd20fa1d879b59b73fd76696b229a35637c867d04c3b2ad

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
ec503d9497edc6e135a4a78786c7c418

SHA1
ccbd53bd812f471b1c232fdfaf924bfea79e7058

SHA256
e7684f5bb4cdef48a5f560c291b56c9975bba68f2d7bce60fe1ad7b90052c713

SHA512
17ac1042135e001f6955938b2f7ee1d9ac17afcb49a7242bd6ff7c039537b9721bea7371b8a8b05a45ed9156476201b7254bfdcdd6bb65c8c816930ddec0a83d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
cb0fa11ddb2787d21e25f70000c43777

SHA1
4a6e7b23943392e89e6867cb3244e94c991a3e14

SHA256
7b503b10f6014396065fa942775656a1a89256020edd9bc8946312e17da0a39e

SHA512
ec09718116e44a13679611302ec9d067ad8421ff6165c8c925ccb82eda5b97c5f90a8168696f693b0178ca73bedecc6a7ef656448c91320a090d04fbe98a080a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
cb0fa11ddb2787d21e25f70000c43777

SHA1
4a6e7b23943392e89e6867cb3244e94c991a3e14

SHA256
7b503b10f6014396065fa942775656a1a89256020edd9bc8946312e17da0a39e

SHA512
ec09718116e44a13679611302ec9d067ad8421ff6165c8c925ccb82eda5b97c5f90a8168696f693b0178ca73bedecc6a7ef656448c91320a090d04fbe98a080a

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b374ddf8281edc8d6fd7add75ebf6458

SHA1
704786cd779fc1e4842d305bbe81584193b82f80

SHA256
fcd3e122bc9d4fc4da3804ec0e9f9c3269b6078978abca4f9f1d75c1fdbcde24

SHA512
5db5f0b9dbb1efbac9da46c26c7bc4016554de7428d43aab97aef9ef3c278b27ab33e11818b521056e7583547576fe88ba93252fca1d1bac0d8c47f2ffba7e5d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b374ddf8281edc8d6fd7add75ebf6458

SHA1
704786cd779fc1e4842d305bbe81584193b82f80

SHA256
fcd3e122bc9d4fc4da3804ec0e9f9c3269b6078978abca4f9f1d75c1fdbcde24

SHA512
5db5f0b9dbb1efbac9da46c26c7bc4016554de7428d43aab97aef9ef3c278b27ab33e11818b521056e7583547576fe88ba93252fca1d1bac0d8c47f2ffba7e5d

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
C:\Users\Admin\AppData\Local\Temp\819075410\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\819075410\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\819075410\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
30KB

MD5
5beb310dbd93479bb0815ec6fac945ab

SHA1
01f386a7f27d5df548ac830330f6b4d3cd3fd3bf

SHA256
f6554fb103a6254136c8b0ba1c3d2f61404ae48f211a609d6fb12d86bfc42164

SHA512
9695676a51723e754dc14db09df524f66b7decfdfa2f0e41d0cabd1cba41ecf2befaaa9b3539200f28d0f246973975270f9ea3fdfba0b1afbd69b04b5b1db53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
84KB

MD5
cb638c463508208980b51df4b6a4a6f8

SHA1
23c10cbc300515726336c3ad8b648e1ffc57735c

SHA256
ebda8d14543f6c09291439879b922e7fba47ae06d6364552a04b1beb54cc7a6f

SHA512
85a488fe10a64cedf2c53f1875279e8375eafa27495896ed695d6195a4af436c3a460bf067196531f28007d5d800e10c2f08065174cf517af9ef4812dbe4529b

Download Submit
C:\backup.exe

Filesize
84KB

MD5
cb638c463508208980b51df4b6a4a6f8

SHA1
23c10cbc300515726336c3ad8b648e1ffc57735c

SHA256
ebda8d14543f6c09291439879b922e7fba47ae06d6364552a04b1beb54cc7a6f

SHA512
85a488fe10a64cedf2c53f1875279e8375eafa27495896ed695d6195a4af436c3a460bf067196531f28007d5d800e10c2f08065174cf517af9ef4812dbe4529b

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
b5896d250ab3722192a5b7670a14ef14

SHA1
6a7969f303f058949ccc6711acf1bc6789b858a8

SHA256
9c752bde7251657f148f0486fe9252787be88484dc567c0450dd3d241ea75130

SHA512
b1e0ae8a0e74eece14b782b5bd2f9d1b5825f9edf3212ed5ad9dfaabb03ba7f37a361e1a47c9467248af300c74a6d53ccd1689c70b9005920df3209a57a15ab6

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
b5896d250ab3722192a5b7670a14ef14

SHA1
6a7969f303f058949ccc6711acf1bc6789b858a8

SHA256
9c752bde7251657f148f0486fe9252787be88484dc567c0450dd3d241ea75130

SHA512
b1e0ae8a0e74eece14b782b5bd2f9d1b5825f9edf3212ed5ad9dfaabb03ba7f37a361e1a47c9467248af300c74a6d53ccd1689c70b9005920df3209a57a15ab6

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
770bbb14a056f36f70418401f596bf95

SHA1
e41b442ed279ccd5f0733233ceb4a0f6d49c4e81

SHA256
794026fb15f786a3392ebd43972fd3bc0333dbe4c9296e6709b1bfbaffc2122c

SHA512
ff46372be3463709057654bc5d2005a84dadd5c61012a38062483e0ad35169e00541a7a70490084b0beeb729389140aa0ae2133097044966dc4ae60e3ce7ed24

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
770bbb14a056f36f70418401f596bf95

SHA1
e41b442ed279ccd5f0733233ceb4a0f6d49c4e81

SHA256
794026fb15f786a3392ebd43972fd3bc0333dbe4c9296e6709b1bfbaffc2122c

SHA512
ff46372be3463709057654bc5d2005a84dadd5c61012a38062483e0ad35169e00541a7a70490084b0beeb729389140aa0ae2133097044966dc4ae60e3ce7ed24

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
b5896d250ab3722192a5b7670a14ef14

SHA1
6a7969f303f058949ccc6711acf1bc6789b858a8

SHA256
9c752bde7251657f148f0486fe9252787be88484dc567c0450dd3d241ea75130

SHA512
b1e0ae8a0e74eece14b782b5bd2f9d1b5825f9edf3212ed5ad9dfaabb03ba7f37a361e1a47c9467248af300c74a6d53ccd1689c70b9005920df3209a57a15ab6

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
b5896d250ab3722192a5b7670a14ef14

SHA1
6a7969f303f058949ccc6711acf1bc6789b858a8

SHA256
9c752bde7251657f148f0486fe9252787be88484dc567c0450dd3d241ea75130

SHA512
b1e0ae8a0e74eece14b782b5bd2f9d1b5825f9edf3212ed5ad9dfaabb03ba7f37a361e1a47c9467248af300c74a6d53ccd1689c70b9005920df3209a57a15ab6

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
84KB

MD5
cb0fa11ddb2787d21e25f70000c43777

SHA1
4a6e7b23943392e89e6867cb3244e94c991a3e14

SHA256
7b503b10f6014396065fa942775656a1a89256020edd9bc8946312e17da0a39e

SHA512
ec09718116e44a13679611302ec9d067ad8421ff6165c8c925ccb82eda5b97c5f90a8168696f693b0178ca73bedecc6a7ef656448c91320a090d04fbe98a080a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe

Filesize
84KB

MD5
cb0fa11ddb2787d21e25f70000c43777

SHA1
4a6e7b23943392e89e6867cb3244e94c991a3e14

SHA256
7b503b10f6014396065fa942775656a1a89256020edd9bc8946312e17da0a39e

SHA512
ec09718116e44a13679611302ec9d067ad8421ff6165c8c925ccb82eda5b97c5f90a8168696f693b0178ca73bedecc6a7ef656448c91320a090d04fbe98a080a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
3b1767ce20dace8a9fbed640b9165154

SHA1
e17490acd61d275a61126a34a92caf6602f6dd5c

SHA256
e960bf60c8b3fb8de7984496376287eb0ebacad8fc51454ebf4eaf13709b2d32

SHA512
fe9a9977e2cee00de36470b21e8685067342cd3d127f5f9a7e0b56ebf83ae10fa28a3a0ae04e76620dd20fa1d879b59b73fd76696b229a35637c867d04c3b2ad

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
3b1767ce20dace8a9fbed640b9165154

SHA1
e17490acd61d275a61126a34a92caf6602f6dd5c

SHA256
e960bf60c8b3fb8de7984496376287eb0ebacad8fc51454ebf4eaf13709b2d32

SHA512
fe9a9977e2cee00de36470b21e8685067342cd3d127f5f9a7e0b56ebf83ae10fa28a3a0ae04e76620dd20fa1d879b59b73fd76696b229a35637c867d04c3b2ad

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
ec503d9497edc6e135a4a78786c7c418

SHA1
ccbd53bd812f471b1c232fdfaf924bfea79e7058

SHA256
e7684f5bb4cdef48a5f560c291b56c9975bba68f2d7bce60fe1ad7b90052c713

SHA512
17ac1042135e001f6955938b2f7ee1d9ac17afcb49a7242bd6ff7c039537b9721bea7371b8a8b05a45ed9156476201b7254bfdcdd6bb65c8c816930ddec0a83d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
ec503d9497edc6e135a4a78786c7c418

SHA1
ccbd53bd812f471b1c232fdfaf924bfea79e7058

SHA256
e7684f5bb4cdef48a5f560c291b56c9975bba68f2d7bce60fe1ad7b90052c713

SHA512
17ac1042135e001f6955938b2f7ee1d9ac17afcb49a7242bd6ff7c039537b9721bea7371b8a8b05a45ed9156476201b7254bfdcdd6bb65c8c816930ddec0a83d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
cb0fa11ddb2787d21e25f70000c43777

SHA1
4a6e7b23943392e89e6867cb3244e94c991a3e14

SHA256
7b503b10f6014396065fa942775656a1a89256020edd9bc8946312e17da0a39e

SHA512
ec09718116e44a13679611302ec9d067ad8421ff6165c8c925ccb82eda5b97c5f90a8168696f693b0178ca73bedecc6a7ef656448c91320a090d04fbe98a080a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
cb0fa11ddb2787d21e25f70000c43777

SHA1
4a6e7b23943392e89e6867cb3244e94c991a3e14

SHA256
7b503b10f6014396065fa942775656a1a89256020edd9bc8946312e17da0a39e

SHA512
ec09718116e44a13679611302ec9d067ad8421ff6165c8c925ccb82eda5b97c5f90a8168696f693b0178ca73bedecc6a7ef656448c91320a090d04fbe98a080a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\data.exe

Filesize
84KB

MD5
ec503d9497edc6e135a4a78786c7c418

SHA1
ccbd53bd812f471b1c232fdfaf924bfea79e7058

SHA256
e7684f5bb4cdef48a5f560c291b56c9975bba68f2d7bce60fe1ad7b90052c713

SHA512
17ac1042135e001f6955938b2f7ee1d9ac17afcb49a7242bd6ff7c039537b9721bea7371b8a8b05a45ed9156476201b7254bfdcdd6bb65c8c816930ddec0a83d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b374ddf8281edc8d6fd7add75ebf6458

SHA1
704786cd779fc1e4842d305bbe81584193b82f80

SHA256
fcd3e122bc9d4fc4da3804ec0e9f9c3269b6078978abca4f9f1d75c1fdbcde24

SHA512
5db5f0b9dbb1efbac9da46c26c7bc4016554de7428d43aab97aef9ef3c278b27ab33e11818b521056e7583547576fe88ba93252fca1d1bac0d8c47f2ffba7e5d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
b374ddf8281edc8d6fd7add75ebf6458

SHA1
704786cd779fc1e4842d305bbe81584193b82f80

SHA256
fcd3e122bc9d4fc4da3804ec0e9f9c3269b6078978abca4f9f1d75c1fdbcde24

SHA512
5db5f0b9dbb1efbac9da46c26c7bc4016554de7428d43aab97aef9ef3c278b27ab33e11818b521056e7583547576fe88ba93252fca1d1bac0d8c47f2ffba7e5d

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
4427c014c2949af9f5199db78bb7e909

SHA1
3a5ec1c6b90d4b604520fcbc1dc55bdddd20c4aa

SHA256
10a898caa1292ebb96b478e3fd8ebadf74ca57b3344c4719f2109c489f7a0ef7

SHA512
35cc384066c6ebc49c2a6807c35ebb2a9f1005e7cad85406e6d88765493eb3befbd52c6bae9c86721734247ce051dad9e2d96a5a3764b6b2af4cae01d3240495

Download Submit
\Users\Admin\AppData\Local\Temp\819075410\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
\Users\Admin\AppData\Local\Temp\819075410\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
28b71c6c0c4f7d9e6f519ce5b8762025

SHA1
e4f0acdec554ae44c591223223ce04bc316ff87b

SHA256
fa9d58bf392ce61d4531e66d610f5195c6ccafc8c401fb6265b56d5c6df885c3

SHA512
486198879e6602686055799136e44ee5ee87d0ed7806f3a3977facf60899c1e590c946851568bbdbb1b870f31e1c7124af17adf162737a4d3c41fff850f93c96

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
84KB

MD5
b8e5deefae9a4a570f47631ffe7524c4

SHA1
01410f1169e35ecd3435c0743bdf255bdb004b88

SHA256
3f1b0bee21ec293701beb0510eb0eb805025cd1f6ee9858b5cacbff3b44bea4a

SHA512
4520f910c3096f22719ee49227674bf4673d55febc82e3e8b9c0fdffe0286a49a8e62f6806f57d1c28172a71fc06f57e0c140277d7a85106dddf07222c69344d

Download Submit
memory/572-131-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/572-122-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/752-150-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/752-193-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/752-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/752-95-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/836-269-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/836-290-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/836-282-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/836-280-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/836-292-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/836-270-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/836-261-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/896-319-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/912-171-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/940-163-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/940-170-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/956-217-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/956-220-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/956-179-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/956-152-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/956-194-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/988-265-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1284-294-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1388-310-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1544-258-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/1544-207-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/1544-187-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/1544-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1544-246-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/1584-276-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1584-221-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1584-259-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1584-232-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1684-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1872-286-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-252-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-46-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2068-36-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2068-11-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2068-73-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2068-35-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2068-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-247-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2068-48-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-191-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2068-60-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2332-225-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2332-223-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2348-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2348-92-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2348-93-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2348-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2348-133-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2536-107-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2536-109-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2536-126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2540-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2568-79-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2656-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2704-29-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2856-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2916-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads