d17cb22135339f7b5575a769ade9bd4e5873475814a363d0825eea5d095148b8

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3abbadff90329111968bf343e67aae60.exe
Size

122KB
MD5

3abbadff90329111968bf343e67aae60
SHA1

ff701a69853b0db001749da7489170cdb12f8f80
SHA256

d17cb22135339f7b5575a769ade9bd4e5873475814a363d0825eea5d095148b8
SHA512

a39ed5937db550fd78679ef90d84c23eb228edace5422abbc51498cc6cb27cda74033c312be341921b7a718758f0f426d04d521d6bbf2f41c9c0a066fca4d599
SSDEEP

1536:lvm1Fu8AjYaFwjRUdW7fmyY7aZYJVmy0KQbj6vbjuKoauGi4f:6u8ANCUdgfmD7zey0KUj6TjR9i4f

Score

10^/10

dropper evasion persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0031000000016455-5.dat	family_berbew
behavioral1/memory/2924-11-0x0000000002620000-0x0000000002644000-memory.dmp	family_berbew
behavioral1/files/0x0031000000016455-12.dat	family_berbew
behavioral1/files/0x0031000000016455-9.dat	family_berbew
behavioral1/files/0x0031000000016455-7.dat	family_berbew
behavioral1/files/0x0007000000016c2b-18.dat	family_berbew
behavioral1/files/0x0007000000016c2b-22.dat	family_berbew
behavioral1/files/0x0007000000016c2b-16.dat	family_berbew
behavioral1/memory/2840-26-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016ca3-33.dat	family_berbew
behavioral1/files/0x0007000000016ca3-29.dat	family_berbew
behavioral1/files/0x0007000000016ca3-27.dat	family_berbew
behavioral1/files/0x0008000000016c34-43.dat	family_berbew
behavioral1/files/0x0008000000016c34-39.dat	family_berbew
behavioral1/files/0x0008000000016c34-37.dat	family_berbew
behavioral1/memory/2756-47-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0009000000016cdf-54.dat	family_berbew
behavioral1/files/0x0009000000016cdf-50.dat	family_berbew
behavioral1/files/0x0009000000016cdf-48.dat	family_berbew
behavioral1/files/0x0007000000016d0a-59.dat	family_berbew
behavioral1/memory/2824-58-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016d0a-65.dat	family_berbew
behavioral1/files/0x0007000000016d0a-61.dat	family_berbew
behavioral1/files/0x0031000000016455-68.dat	family_berbew
behavioral1/files/0x003300000001658b-74.dat	family_berbew
behavioral1/files/0x0006000000016d39-79.dat	family_berbew
behavioral1/files/0x0006000000016d39-77.dat	family_berbew
behavioral1/memory/3004-84-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d39-85.dat	family_berbew
behavioral1/files/0x003300000001658b-87.dat	family_berbew
behavioral1/files/0x0006000000016d4d-90.dat	family_berbew
behavioral1/files/0x0006000000016d4d-96.dat	family_berbew
behavioral1/files/0x0006000000016d4d-92.dat	family_berbew
behavioral1/memory/2628-97-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d4d-101.dat	family_berbew
behavioral1/files/0x0006000000016d77-103.dat	family_berbew
behavioral1/files/0x0006000000016d77-109.dat	family_berbew
behavioral1/files/0x0006000000016d77-105.dat	family_berbew
behavioral1/files/0x0006000000016d85-120.dat	family_berbew
behavioral1/memory/3028-121-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/3008-113-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d85-116.dat	family_berbew
behavioral1/files/0x0006000000016d85-114.dat	family_berbew
behavioral1/files/0x0006000000016d85-124.dat	family_berbew
behavioral1/files/0x0007000000016d80-126.dat	family_berbew
behavioral1/files/0x0007000000016d80-132.dat	family_berbew
behavioral1/files/0x0007000000016d80-128.dat	family_berbew
behavioral1/files/0x0007000000016d80-135.dat	family_berbew
behavioral1/files/0x0006000000016fe9-137.dat	family_berbew
behavioral1/files/0x0006000000016fe9-142.dat	family_berbew
behavioral1/files/0x0006000000016fe9-143.dat	family_berbew
behavioral1/files/0x0006000000016fe9-146.dat	family_berbew
behavioral1/files/0x0006000000016fe9-145.dat	family_berbew
behavioral1/files/0x0006000000016fe9-144.dat	family_berbew
behavioral1/files/0x0008000000016d64-168.dat	family_berbew
behavioral1/memory/1652-169-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/memory/2232-161-0x0000000000400000-0x0000000000424000-memory.dmp	family_berbew
behavioral1/files/0x0008000000016d64-164.dat	family_berbew
behavioral1/files/0x0008000000016d64-162.dat	family_berbew
behavioral1/files/0x0008000000016d64-173.dat	family_berbew
behavioral1/files/0x0008000000017564-175.dat	family_berbew
behavioral1/files/0x0008000000017564-177.dat	family_berbew
behavioral1/files/0x0008000000017564-181.dat	family_berbew

Modifies visibility of file extensions in Explorer 2 TTPs 37 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3abbadff90329111968bf343e67aae60.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe

Executes dropped EXE 38 IoCs

pid	Process
1740	data.exe
2840	backup.exe
2684	backup.exe
2756	backup.exe
2824	backup.exe
3004	backup.exe
2556	backup.exe
2628	backup.exe
3028	backup.exe
3008	backup.exe
1164	backup.exe
2232	backup.exe
1652	update.exe
1120	backup.exe
2652	backup.exe
2292	backup.exe
328	data.exe
2304	backup.exe
1148	backup.exe
2272	backup.exe
1052	backup.exe
1768	System Restore.exe
1080	backup.exe
940	backup.exe
1432	backup.exe
2208	backup.exe
2392	backup.exe
3060	backup.exe
1920	System Restore.exe
1700	backup.exe
2528	System Restore.exe
2648	data.exe
2752	System Restore.exe
2940	backup.exe
2756	backup.exe
2748	backup.exe
2580	backup.exe
320	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2924	3abbadff90329111968bf343e67aae60.exe
2556	backup.exe
2556	backup.exe
3028	backup.exe
3028	backup.exe
2556	backup.exe
2556	backup.exe
1164	backup.exe
1164	backup.exe
2232	backup.exe
1652	update.exe
1652	update.exe
1652	update.exe
1164	backup.exe
1164	backup.exe
1120	backup.exe
1120	backup.exe
2652	backup.exe
2652	backup.exe
2652	backup.exe
2652	backup.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
328	data.exe
1920	System Restore.exe
1920	System Restore.exe
1920	System Restore.exe
1920	System Restore.exe
1920	System Restore.exe
1920	System Restore.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2924	3abbadff90329111968bf343e67aae60.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2924	3abbadff90329111968bf343e67aae60.exe
1740	data.exe
2840	backup.exe
2684	backup.exe
2756	backup.exe
2824	backup.exe
3004	backup.exe
2556	backup.exe
2628	backup.exe
3028	backup.exe
3008	backup.exe
1164	backup.exe
2232	backup.exe
1652	update.exe
1120	backup.exe
2652	backup.exe
2292	backup.exe
328	data.exe
2304	backup.exe
1148	backup.exe
2272	backup.exe
1052	backup.exe
1768	System Restore.exe
1080	backup.exe
940	backup.exe
1432	backup.exe
2208	backup.exe
2392	backup.exe
3060	backup.exe
1920	System Restore.exe
1700	backup.exe
2528	System Restore.exe
2648	data.exe
2752	System Restore.exe
2940	backup.exe
2756	backup.exe
2748	backup.exe
2580	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1740	2924	3abbadff90329111968bf343e67aae60.exe	28
PID 2924 wrote to memory of 1740	2924	3abbadff90329111968bf343e67aae60.exe	28
PID 2924 wrote to memory of 1740	2924	3abbadff90329111968bf343e67aae60.exe	28
PID 2924 wrote to memory of 1740	2924	3abbadff90329111968bf343e67aae60.exe	28
PID 2924 wrote to memory of 2840	2924	3abbadff90329111968bf343e67aae60.exe	29
PID 2924 wrote to memory of 2840	2924	3abbadff90329111968bf343e67aae60.exe	29
PID 2924 wrote to memory of 2840	2924	3abbadff90329111968bf343e67aae60.exe	29
PID 2924 wrote to memory of 2840	2924	3abbadff90329111968bf343e67aae60.exe	29
PID 2924 wrote to memory of 2684	2924	3abbadff90329111968bf343e67aae60.exe	30
PID 2924 wrote to memory of 2684	2924	3abbadff90329111968bf343e67aae60.exe	30
PID 2924 wrote to memory of 2684	2924	3abbadff90329111968bf343e67aae60.exe	30
PID 2924 wrote to memory of 2684	2924	3abbadff90329111968bf343e67aae60.exe	30
PID 2924 wrote to memory of 2756	2924	3abbadff90329111968bf343e67aae60.exe	31
PID 2924 wrote to memory of 2756	2924	3abbadff90329111968bf343e67aae60.exe	31
PID 2924 wrote to memory of 2756	2924	3abbadff90329111968bf343e67aae60.exe	31
PID 2924 wrote to memory of 2756	2924	3abbadff90329111968bf343e67aae60.exe	31
PID 2924 wrote to memory of 2824	2924	3abbadff90329111968bf343e67aae60.exe	32
PID 2924 wrote to memory of 2824	2924	3abbadff90329111968bf343e67aae60.exe	32
PID 2924 wrote to memory of 2824	2924	3abbadff90329111968bf343e67aae60.exe	32
PID 2924 wrote to memory of 2824	2924	3abbadff90329111968bf343e67aae60.exe	32
PID 2924 wrote to memory of 3004	2924	3abbadff90329111968bf343e67aae60.exe	33
PID 2924 wrote to memory of 3004	2924	3abbadff90329111968bf343e67aae60.exe	33
PID 2924 wrote to memory of 3004	2924	3abbadff90329111968bf343e67aae60.exe	33
PID 2924 wrote to memory of 3004	2924	3abbadff90329111968bf343e67aae60.exe	33
PID 1740 wrote to memory of 2556	1740	data.exe	34
PID 1740 wrote to memory of 2556	1740	data.exe	34
PID 1740 wrote to memory of 2556	1740	data.exe	34
PID 1740 wrote to memory of 2556	1740	data.exe	34
PID 2924 wrote to memory of 2628	2924	3abbadff90329111968bf343e67aae60.exe	35
PID 2924 wrote to memory of 2628	2924	3abbadff90329111968bf343e67aae60.exe	35
PID 2924 wrote to memory of 2628	2924	3abbadff90329111968bf343e67aae60.exe	35
PID 2924 wrote to memory of 2628	2924	3abbadff90329111968bf343e67aae60.exe	35
PID 2556 wrote to memory of 3028	2556	backup.exe	36
PID 2556 wrote to memory of 3028	2556	backup.exe	36
PID 2556 wrote to memory of 3028	2556	backup.exe	36
PID 2556 wrote to memory of 3028	2556	backup.exe	36
PID 3028 wrote to memory of 3008	3028	backup.exe	37
PID 3028 wrote to memory of 3008	3028	backup.exe	37
PID 3028 wrote to memory of 3008	3028	backup.exe	37
PID 3028 wrote to memory of 3008	3028	backup.exe	37
PID 2556 wrote to memory of 1164	2556	backup.exe	38
PID 2556 wrote to memory of 1164	2556	backup.exe	38
PID 2556 wrote to memory of 1164	2556	backup.exe	38
PID 2556 wrote to memory of 1164	2556	backup.exe	38
PID 1164 wrote to memory of 2232	1164	backup.exe	39
PID 1164 wrote to memory of 2232	1164	backup.exe	39
PID 1164 wrote to memory of 2232	1164	backup.exe	39
PID 1164 wrote to memory of 2232	1164	backup.exe	39
PID 2232 wrote to memory of 1652	2232	backup.exe	40
PID 2232 wrote to memory of 1652	2232	backup.exe	40
PID 2232 wrote to memory of 1652	2232	backup.exe	40
PID 2232 wrote to memory of 1652	2232	backup.exe	40
PID 2232 wrote to memory of 1652	2232	backup.exe	40
PID 2232 wrote to memory of 1652	2232	backup.exe	40
PID 2232 wrote to memory of 1652	2232	backup.exe	40
PID 1164 wrote to memory of 1120	1164	backup.exe	41
PID 1164 wrote to memory of 1120	1164	backup.exe	41
PID 1164 wrote to memory of 1120	1164	backup.exe	41
PID 1164 wrote to memory of 1120	1164	backup.exe	41
PID 1120 wrote to memory of 2652	1120	backup.exe	42
PID 1120 wrote to memory of 2652	1120	backup.exe	42
PID 1120 wrote to memory of 2652	1120	backup.exe	42
PID 1120 wrote to memory of 2652	1120	backup.exe	42
PID 2652 wrote to memory of 2292	2652	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3abbadff90329111968bf343e67aae60.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3abbadff90329111968bf343e67aae60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\3abbadff90329111968bf343e67aae60.exe
"C:\Users\Admin\AppData\Local\Temp\3abbadff90329111968bf343e67aae60.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
- C:\Users\Admin\AppData\Local\Temp\2697605695\data.exe
  C:\Users\Admin\AppData\Local\Temp\2697605695\data.exe C:\Users\Admin\AppData\Local\Temp\2697605695\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1740
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2556
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3028
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3008
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1164
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2232
      - C:\Program Files\7-Zip\Lang\update.exe
        
        "C:\Program Files\7-Zip\Lang\update.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1120
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2652
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1080
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1432
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2392
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1700
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:3016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:2816
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2540
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:1656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:1448
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1676
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:1940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        
        PID:1952
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:2132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:2912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        
        PID:1452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        
        PID:876
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:2164
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2680
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2068
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:2220
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1860
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:2648
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:3064
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1844
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1660
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:568
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:484
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2616
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:992
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:2812
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1800
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:292
      - C:\Program Files\Common Files\SpeechEngines\System Restore.exe
        
        "C:\Program Files\Common Files\SpeechEngines\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:3040
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2672
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2620
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2264
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2644
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1952
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2132
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1920
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:884
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:760
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2696
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2816
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:924
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:764
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:392
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:1072
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        
        PID:1728
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:896
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:1492
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1852
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2824
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1016
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2860
      - C:\Program Files\DVD Maker\ja-JP\System Restore.exe
        
        "C:\Program Files\DVD Maker\ja-JP\System Restore.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1060
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2112
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1084
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2060
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1868
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1228
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1792
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1960
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2200
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2512
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2752
      - C:\Program Files\Internet Explorer\ja-JP\update.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\update.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2948
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:1648
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2196
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:2240
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:564
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        
        PID:2124
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1512
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1588
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:2720
        
        C:\Program Files\Microsoft Games\Chess\en-US\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\System Restore.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        
        PID:2288
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:2800
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        
        PID:1608
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:628
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:2368
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:2196
      - C:\Program Files\Microsoft Games\Mahjong\update.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\update.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:2648
      - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:1456
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1768
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:2712
        
        C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        
        PID:2008
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:1888
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1976
      - C:\Program Files (x86)\Adobe\Reader 9.0\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1728
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2144
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2176
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2016
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2308
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1096
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1488
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2716
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1140
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:2824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:2572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2072
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2284
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1020
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:2832
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2656
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:2020
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:1196
      - C:\Program Files (x86)\Common Files\Services\data.exe
        
        "C:\Program Files (x86)\Common Files\Services\data.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:832
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:2224
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2516
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:3020
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2836
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:2756
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:848
    - - C:\Program Files (x86)\Microsoft Office\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\data.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2544
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:1080
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        
        PID:2632
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\update.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
        7⤵
        
        PID:112
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
        7⤵
        
        PID:2724
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\
        7⤵
        
        PID:536
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        
        PID:1876
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\
        7⤵
        
        PID:1296
      - C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\
        6⤵
        
        PID:2152
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1052
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:824
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\
        6⤵
        
        PID:1572
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1536
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1376
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:2972
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:2896
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2492
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2344
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2296
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1060
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2084
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:2592
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:2772
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:1404
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:2780
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2912
      - C:\Windows\AppPatch\it-IT\System Restore.exe
        
        "C:\Windows\AppPatch\it-IT\System Restore.exe" C:\Windows\AppPatch\it-IT\
        6⤵
        
        PID:884
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        
        PID:2860
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2456
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        
        PID:1336
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2304
        
        C:\Windows\assembly\GAC\Microsoft.Ink\System Restore.exe
        
        "C:\Windows\assembly\GAC\Microsoft.Ink\System Restore.exe" C:\Windows\assembly\GAC\Microsoft.Ink\
        7⤵
        
        PID:1528
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
        8⤵
        
        PID:1480
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:2708
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:1096
      - C:\Windows\assembly\GAC_32\data.exe
        
        C:\Windows\assembly\GAC_32\data.exe C:\Windows\assembly\GAC_32\
        6⤵
        
        PID:1120
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\
        7⤵
        
        PID:2768
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:2644
        
        C:\Windows\assembly\GAC_32\ehexthost32\data.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\data.exe C:\Windows\assembly\GAC_32\ehexthost32\
        7⤵
        
        PID:1912
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        
        PID:1532
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        
        PID:2256
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        
        PID:2424
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_64\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        
        PID:3028
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1932
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2508
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2680
    - - C:\Windows\de-DE\update.exe
        
        C:\Windows\de-DE\update.exe C:\Windows\de-DE\
        5⤵
        
        PID:2388
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        
        PID:2580
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2628

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
1⤵
PID:2148

C:\Windows\debug\WIA\backup.exe
C:\Windows\debug\WIA\backup.exe C:\Windows\debug\WIA\
1⤵
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
3e0a30e9edbe10cd20ea7aac3021d39c

SHA1
d181b27bd5f089a1f4c329895aa2131cabfec55e

SHA256
05f4ca348b301df1d7c4bff17c760ed47e3fbc4abcfced6ea11ade7e01536550

SHA512
edc35a9a3f034bb95522f21657c682db092e296a3d6005652fe095b0b3b89ef9146e3c83f26409eaac67d2f9fbbfd9aab021093f01b62fedbd5f0b6ca59e632d

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
0f577136e54700b3ff6114ceafb131a4

SHA1
1ce4ed7c03ba6cff815b96c7fab8a3b41752eafb

SHA256
a74f0a7925e8d03e1174fe182d98ff1b12d1d1b3e69e1c1550fd888f433a7902

SHA512
743263a0e5df87a3e0ec4b2bbecca416e213b075c1c516472ba0d4fb692fdc3541cf4176a717b10cd11a6be23be0172cf26fe916fd3b0c51fdc26601f27cbd9d

Download Submit
C:\PerfLogs\backup.exe

Filesize
122KB

MD5
0f577136e54700b3ff6114ceafb131a4

SHA1
1ce4ed7c03ba6cff815b96c7fab8a3b41752eafb

SHA256
a74f0a7925e8d03e1174fe182d98ff1b12d1d1b3e69e1c1550fd888f433a7902

SHA512
743263a0e5df87a3e0ec4b2bbecca416e213b075c1c516472ba0d4fb692fdc3541cf4176a717b10cd11a6be23be0172cf26fe916fd3b0c51fdc26601f27cbd9d

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
122KB

MD5
d3d39df7c732a8b9e946c25d040d8606

SHA1
38cae46027043f943289af905b0f8df394c496bc

SHA256
3b449fe3d700b385f46b64ad1a11fdb9d551d1ee384a2a485c0b2fbb3e032712

SHA512
e3f616eeba3423111b8523a038c8f35373a7c56a11b52b75abeddc5b03c8586cb9788bdee2daa933be65af1baeaf3603a215115218cc86c461d08728b23e797a

Download Submit
C:\Program Files\7-Zip\Lang\update.exe

Filesize
122KB

MD5
d3d39df7c732a8b9e946c25d040d8606

SHA1
38cae46027043f943289af905b0f8df394c496bc

SHA256
3b449fe3d700b385f46b64ad1a11fdb9d551d1ee384a2a485c0b2fbb3e032712

SHA512
e3f616eeba3423111b8523a038c8f35373a7c56a11b52b75abeddc5b03c8586cb9788bdee2daa933be65af1baeaf3603a215115218cc86c461d08728b23e797a

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
7c681d7f107b4af0bb3b30e63bebe98d

SHA1
f6f8629fd1988b4e6a0ed9eaeed5b39a8e13db42

SHA256
247a8f86c0c01840af2acfa279d00cbc05962004ce4762b46e008f0c7e5cb2bd

SHA512
dfba425b9ad9cd8c6b0ff710f590f13f558998758ad2a279e1a83cf21649c9be39f344c9ec1b855a461198923d29ca24266b742c5565b7376c60a398f1bdc4b2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
d1da8f4603d6d94b7bd6418dadb71c65

SHA1
e4b1bc8b2e32ae73f39c4889de0dc2c33ef7e9e9

SHA256
8b53defbfb0ee4d65ea89e58e71025501d02bc21bc798da596522ebf8fa53dfc

SHA512
c4d8e121296de340d6e678c7e91cdbbfef699abc8472fb2b1cba1217ee202afe23e8dfaf15bd811a67765ab6ff0e3e3116a95bf9400cae8bf3a4411b1991c168

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
d1da8f4603d6d94b7bd6418dadb71c65

SHA1
e4b1bc8b2e32ae73f39c4889de0dc2c33ef7e9e9

SHA256
8b53defbfb0ee4d65ea89e58e71025501d02bc21bc798da596522ebf8fa53dfc

SHA512
c4d8e121296de340d6e678c7e91cdbbfef699abc8472fb2b1cba1217ee202afe23e8dfaf15bd811a67765ab6ff0e3e3116a95bf9400cae8bf3a4411b1991c168

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
9d5b0b807a82ddadcfd8e1ba5f4f8cd0

SHA1
36846722d951781adb86667816010785b8063833

SHA256
2ed66e3fd24bc8e9eba5152cfe57106e279b89189579c586cddcc5ff7edae2a8

SHA512
91479b35554fdcf17a1e6eddf8d21be025094ed2ba0cca4fc86ea815fe4bba782d5f9c76a0b2a2d047534a8b03cb6e92395aa18ccc5ab9a6365e9948105ebb24

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
122KB

MD5
7c681d7f107b4af0bb3b30e63bebe98d

SHA1
f6f8629fd1988b4e6a0ed9eaeed5b39a8e13db42

SHA256
247a8f86c0c01840af2acfa279d00cbc05962004ce4762b46e008f0c7e5cb2bd

SHA512
dfba425b9ad9cd8c6b0ff710f590f13f558998758ad2a279e1a83cf21649c9be39f344c9ec1b855a461198923d29ca24266b742c5565b7376c60a398f1bdc4b2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
122KB

MD5
7c681d7f107b4af0bb3b30e63bebe98d

SHA1
f6f8629fd1988b4e6a0ed9eaeed5b39a8e13db42

SHA256
247a8f86c0c01840af2acfa279d00cbc05962004ce4762b46e008f0c7e5cb2bd

SHA512
dfba425b9ad9cd8c6b0ff710f590f13f558998758ad2a279e1a83cf21649c9be39f344c9ec1b855a461198923d29ca24266b742c5565b7376c60a398f1bdc4b2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
e63f4c54788f70927494b72584971596

SHA1
52ce3b170185739608f641302c0aa922a897c002

SHA256
f0464287a1a178316f9d5637710ca54c48d38cc4ce2173109e79e25673d1b45a

SHA512
b2508f59a1899baa998976c0ab8cedb1d58ccbfcefc46f115f7943fbef9678def27fa9e89c11f5d23e4307a80220357e27c58c1342c56dee20a9efdc750f9396

Download Submit
C:\Program Files\backup.exe

Filesize
122KB

MD5
e63f4c54788f70927494b72584971596

SHA1
52ce3b170185739608f641302c0aa922a897c002

SHA256
f0464287a1a178316f9d5637710ca54c48d38cc4ce2173109e79e25673d1b45a

SHA512
b2508f59a1899baa998976c0ab8cedb1d58ccbfcefc46f115f7943fbef9678def27fa9e89c11f5d23e4307a80220357e27c58c1342c56dee20a9efdc750f9396

Download Submit
C:\Users\Admin\AppData\Local\Temp\2697605695\data.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
C:\Users\Admin\AppData\Local\Temp\2697605695\data.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
C:\Users\Admin\AppData\Local\Temp\2697605695\data.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
41KB

MD5
ee4e95b77cb934026f600ae5d88055b1

SHA1
511c193be5e8b3df54acf6eba40bbcf3554cedef

SHA256
f855a7882f75b70bbc1f6cce3d59e34f83238dffc68e43631c7e8fb35b0f4f2e

SHA512
33005160dece18510d9b0a0668eddf9380455b4a6fac4bd5245a026f67b76aca3a097b4a9625ce795c38f98f857db4e1c275d440a7fc7fdd69daf9ae8c2c69d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
122KB

MD5
4cc6bc29ab7928e654bafd4dd5c83b84

SHA1
12336a7f38e40308db21843174d19237c6ab4221

SHA256
d915bec61d38f66f2099a8b37fb26c85873d396c9d19656d94b23f4886abaffc

SHA512
095cc0159625869c02c086b15632a8b510cb9ce76a2752e66bd21e5b246978a36ad343ad9c4745ee933a8ad5b6e4eedabb5eaad6c49fb5e3a2f57ecce439a12e

Download Submit
C:\backup.exe

Filesize
122KB

MD5
4cc6bc29ab7928e654bafd4dd5c83b84

SHA1
12336a7f38e40308db21843174d19237c6ab4221

SHA256
d915bec61d38f66f2099a8b37fb26c85873d396c9d19656d94b23f4886abaffc

SHA512
095cc0159625869c02c086b15632a8b510cb9ce76a2752e66bd21e5b246978a36ad343ad9c4745ee933a8ad5b6e4eedabb5eaad6c49fb5e3a2f57ecce439a12e

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
3e0a30e9edbe10cd20ea7aac3021d39c

SHA1
d181b27bd5f089a1f4c329895aa2131cabfec55e

SHA256
05f4ca348b301df1d7c4bff17c760ed47e3fbc4abcfced6ea11ade7e01536550

SHA512
edc35a9a3f034bb95522f21657c682db092e296a3d6005652fe095b0b3b89ef9146e3c83f26409eaac67d2f9fbbfd9aab021093f01b62fedbd5f0b6ca59e632d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
122KB

MD5
3e0a30e9edbe10cd20ea7aac3021d39c

SHA1
d181b27bd5f089a1f4c329895aa2131cabfec55e

SHA256
05f4ca348b301df1d7c4bff17c760ed47e3fbc4abcfced6ea11ade7e01536550

SHA512
edc35a9a3f034bb95522f21657c682db092e296a3d6005652fe095b0b3b89ef9146e3c83f26409eaac67d2f9fbbfd9aab021093f01b62fedbd5f0b6ca59e632d

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
0f577136e54700b3ff6114ceafb131a4

SHA1
1ce4ed7c03ba6cff815b96c7fab8a3b41752eafb

SHA256
a74f0a7925e8d03e1174fe182d98ff1b12d1d1b3e69e1c1550fd888f433a7902

SHA512
743263a0e5df87a3e0ec4b2bbecca416e213b075c1c516472ba0d4fb692fdc3541cf4176a717b10cd11a6be23be0172cf26fe916fd3b0c51fdc26601f27cbd9d

Download Submit
\PerfLogs\backup.exe

Filesize
122KB

MD5
0f577136e54700b3ff6114ceafb131a4

SHA1
1ce4ed7c03ba6cff815b96c7fab8a3b41752eafb

SHA256
a74f0a7925e8d03e1174fe182d98ff1b12d1d1b3e69e1c1550fd888f433a7902

SHA512
743263a0e5df87a3e0ec4b2bbecca416e213b075c1c516472ba0d4fb692fdc3541cf4176a717b10cd11a6be23be0172cf26fe916fd3b0c51fdc26601f27cbd9d

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
122KB

MD5
d3d39df7c732a8b9e946c25d040d8606

SHA1
38cae46027043f943289af905b0f8df394c496bc

SHA256
3b449fe3d700b385f46b64ad1a11fdb9d551d1ee384a2a485c0b2fbb3e032712

SHA512
e3f616eeba3423111b8523a038c8f35373a7c56a11b52b75abeddc5b03c8586cb9788bdee2daa933be65af1baeaf3603a215115218cc86c461d08728b23e797a

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
122KB

MD5
d3d39df7c732a8b9e946c25d040d8606

SHA1
38cae46027043f943289af905b0f8df394c496bc

SHA256
3b449fe3d700b385f46b64ad1a11fdb9d551d1ee384a2a485c0b2fbb3e032712

SHA512
e3f616eeba3423111b8523a038c8f35373a7c56a11b52b75abeddc5b03c8586cb9788bdee2daa933be65af1baeaf3603a215115218cc86c461d08728b23e797a

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
122KB

MD5
d3d39df7c732a8b9e946c25d040d8606

SHA1
38cae46027043f943289af905b0f8df394c496bc

SHA256
3b449fe3d700b385f46b64ad1a11fdb9d551d1ee384a2a485c0b2fbb3e032712

SHA512
e3f616eeba3423111b8523a038c8f35373a7c56a11b52b75abeddc5b03c8586cb9788bdee2daa933be65af1baeaf3603a215115218cc86c461d08728b23e797a

Download Submit
\Program Files\7-Zip\Lang\update.exe

Filesize
122KB

MD5
d3d39df7c732a8b9e946c25d040d8606

SHA1
38cae46027043f943289af905b0f8df394c496bc

SHA256
3b449fe3d700b385f46b64ad1a11fdb9d551d1ee384a2a485c0b2fbb3e032712

SHA512
e3f616eeba3423111b8523a038c8f35373a7c56a11b52b75abeddc5b03c8586cb9788bdee2daa933be65af1baeaf3603a215115218cc86c461d08728b23e797a

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
7c681d7f107b4af0bb3b30e63bebe98d

SHA1
f6f8629fd1988b4e6a0ed9eaeed5b39a8e13db42

SHA256
247a8f86c0c01840af2acfa279d00cbc05962004ce4762b46e008f0c7e5cb2bd

SHA512
dfba425b9ad9cd8c6b0ff710f590f13f558998758ad2a279e1a83cf21649c9be39f344c9ec1b855a461198923d29ca24266b742c5565b7376c60a398f1bdc4b2

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
122KB

MD5
7c681d7f107b4af0bb3b30e63bebe98d

SHA1
f6f8629fd1988b4e6a0ed9eaeed5b39a8e13db42

SHA256
247a8f86c0c01840af2acfa279d00cbc05962004ce4762b46e008f0c7e5cb2bd

SHA512
dfba425b9ad9cd8c6b0ff710f590f13f558998758ad2a279e1a83cf21649c9be39f344c9ec1b855a461198923d29ca24266b742c5565b7376c60a398f1bdc4b2

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
d1da8f4603d6d94b7bd6418dadb71c65

SHA1
e4b1bc8b2e32ae73f39c4889de0dc2c33ef7e9e9

SHA256
8b53defbfb0ee4d65ea89e58e71025501d02bc21bc798da596522ebf8fa53dfc

SHA512
c4d8e121296de340d6e678c7e91cdbbfef699abc8472fb2b1cba1217ee202afe23e8dfaf15bd811a67765ab6ff0e3e3116a95bf9400cae8bf3a4411b1991c168

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
122KB

MD5
d1da8f4603d6d94b7bd6418dadb71c65

SHA1
e4b1bc8b2e32ae73f39c4889de0dc2c33ef7e9e9

SHA256
8b53defbfb0ee4d65ea89e58e71025501d02bc21bc798da596522ebf8fa53dfc

SHA512
c4d8e121296de340d6e678c7e91cdbbfef699abc8472fb2b1cba1217ee202afe23e8dfaf15bd811a67765ab6ff0e3e3116a95bf9400cae8bf3a4411b1991c168

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
9d5b0b807a82ddadcfd8e1ba5f4f8cd0

SHA1
36846722d951781adb86667816010785b8063833

SHA256
2ed66e3fd24bc8e9eba5152cfe57106e279b89189579c586cddcc5ff7edae2a8

SHA512
91479b35554fdcf17a1e6eddf8d21be025094ed2ba0cca4fc86ea815fe4bba782d5f9c76a0b2a2d047534a8b03cb6e92395aa18ccc5ab9a6365e9948105ebb24

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
122KB

MD5
9d5b0b807a82ddadcfd8e1ba5f4f8cd0

SHA1
36846722d951781adb86667816010785b8063833

SHA256
2ed66e3fd24bc8e9eba5152cfe57106e279b89189579c586cddcc5ff7edae2a8

SHA512
91479b35554fdcf17a1e6eddf8d21be025094ed2ba0cca4fc86ea815fe4bba782d5f9c76a0b2a2d047534a8b03cb6e92395aa18ccc5ab9a6365e9948105ebb24

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
122KB

MD5
9d5b0b807a82ddadcfd8e1ba5f4f8cd0

SHA1
36846722d951781adb86667816010785b8063833

SHA256
2ed66e3fd24bc8e9eba5152cfe57106e279b89189579c586cddcc5ff7edae2a8

SHA512
91479b35554fdcf17a1e6eddf8d21be025094ed2ba0cca4fc86ea815fe4bba782d5f9c76a0b2a2d047534a8b03cb6e92395aa18ccc5ab9a6365e9948105ebb24

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
122KB

MD5
7c681d7f107b4af0bb3b30e63bebe98d

SHA1
f6f8629fd1988b4e6a0ed9eaeed5b39a8e13db42

SHA256
247a8f86c0c01840af2acfa279d00cbc05962004ce4762b46e008f0c7e5cb2bd

SHA512
dfba425b9ad9cd8c6b0ff710f590f13f558998758ad2a279e1a83cf21649c9be39f344c9ec1b855a461198923d29ca24266b742c5565b7376c60a398f1bdc4b2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\data.exe

Filesize
122KB

MD5
7c681d7f107b4af0bb3b30e63bebe98d

SHA1
f6f8629fd1988b4e6a0ed9eaeed5b39a8e13db42

SHA256
247a8f86c0c01840af2acfa279d00cbc05962004ce4762b46e008f0c7e5cb2bd

SHA512
dfba425b9ad9cd8c6b0ff710f590f13f558998758ad2a279e1a83cf21649c9be39f344c9ec1b855a461198923d29ca24266b742c5565b7376c60a398f1bdc4b2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
\Program Files\Common Files\backup.exe

Filesize
122KB

MD5
92a5421843dac44b75ff78b8fbd05367

SHA1
f4c65934335abe40f44c2ee181330e256c3ac5ab

SHA256
747ec52a78d0e4fcf3f5c14a478fb6c73d17f2b76d27c227afb27e017a4e99b4

SHA512
f259d6af10b719a707e9662e0355ff39a85b07cedcf56bb51fd5d439a8ee9dbdadbb1e3f51624da8de7b6a1d0d6905682e8fcdea24e16bab14ee35d3f248563d

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
e63f4c54788f70927494b72584971596

SHA1
52ce3b170185739608f641302c0aa922a897c002

SHA256
f0464287a1a178316f9d5637710ca54c48d38cc4ce2173109e79e25673d1b45a

SHA512
b2508f59a1899baa998976c0ab8cedb1d58ccbfcefc46f115f7943fbef9678def27fa9e89c11f5d23e4307a80220357e27c58c1342c56dee20a9efdc750f9396

Download Submit
\Program Files\backup.exe

Filesize
122KB

MD5
e63f4c54788f70927494b72584971596

SHA1
52ce3b170185739608f641302c0aa922a897c002

SHA256
f0464287a1a178316f9d5637710ca54c48d38cc4ce2173109e79e25673d1b45a

SHA512
b2508f59a1899baa998976c0ab8cedb1d58ccbfcefc46f115f7943fbef9678def27fa9e89c11f5d23e4307a80220357e27c58c1342c56dee20a9efdc750f9396

Download Submit
\Users\Admin\AppData\Local\Temp\2697605695\data.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\2697605695\data.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
122KB

MD5
d7c9007d72ace62b973a4767f2b129ff

SHA1
dd930b48dcfaabab84dd5e9123af09d2d138a58f

SHA256
b4c2b9397854b8c589a713cee4b620fb8e3e6861d93c816a14dc16b8c3995206

SHA512
7d49cc5f91362ffe65dd0003d14e5a8011e2968e5dbb7a6cdd0dd12d4dfb990c8b9f35954bf7d5fc32bc52d7727672c57c10b51a09574a30568a1c43e9d14830

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
122KB

MD5
acd5964870c6dd5b185c8a88dc983cb8

SHA1
36ff71140d70517ad0ccb0a6a3a0889637438494

SHA256
94820e5890ad1ac0331a7970f58ef4fa94700ec724d2e9b2fa04a417cb2ccd7c

SHA512
f7044cdd98c2700db79e0ae02446c5ac435cec3f2b44e5506e56c644f3fc0990fe54ccc94d32ef7faff7391401a4ccb50ef095270e22a344f260c97795d992d2

Download Submit
memory/292-612-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/320-386-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/328-839-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/564-1680-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/612-515-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/692-750-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/760-1136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/812-403-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/852-435-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/860-599-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/884-1209-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/896-982-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/940-274-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1016-778-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1052-242-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1060-832-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1060-1132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1080-266-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1096-877-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1112-871-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1120-931-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1148-227-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1228-1102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1376-419-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1432-281-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-463-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1492-627-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1560-893-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-1588-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1596-546-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1652-169-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1652-170-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1656-443-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1676-484-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1700-321-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1728-582-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1768-258-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1768-1585-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1788-1614-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1852-666-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1860-943-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1920-391-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1948-1082-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-1062-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1960-1354-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-902-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2008-1662-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2016-801-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-862-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2068-749-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2112-949-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2132-993-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2132-647-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2144-652-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2164-986-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2176-704-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2196-1394-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2200-1226-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2220-800-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2232-161-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2264-1432-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2272-235-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2288-1717-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2292-195-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2296-1103-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-218-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2308-1731-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2392-297-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2476-1395-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2512-1396-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2528-328-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2540-426-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-1691-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2580-377-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2592-1227-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2612-1133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2628-97-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-840-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-336-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2648-1058-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2668-1183-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2668-725-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-682-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2680-698-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2684-474-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2712-1705-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2716-1077-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2748-369-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-345-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2752-1478-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2756-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2756-362-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2764-700-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-411-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2824-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2824-748-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2836-1315-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2840-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-1314-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-468-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2860-816-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2900-823-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2908-797-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-677-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2916-1313-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2924-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2924-344-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2924-11-0x0000000002620000-0x0000000002644000-memory.dmp

Filesize
144KB

Download
memory/2940-354-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3004-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3008-113-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3016-395-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3028-121-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3040-690-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3060-305-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads