9026e3397c590cb775a3d577e5ab4169e2ed9f6b61c7aa23d734eb6083fcb0a9

Analysis

max time kernel
21s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 17:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
Size

84KB
MD5

600222a7a06ce5ff99cdd0dd07016580
SHA1

24bc43805e5f76275dc9f2e435979602389732c5
SHA256

9026e3397c590cb775a3d577e5ab4169e2ed9f6b61c7aa23d734eb6083fcb0a9
SHA512

edab8ca5ae1d7ba9b299b958c69f7580f52f08fc7e12f25f086e3c00433de5dc9ee5a69c61874ea354e71a4a788e661b167d2a5d641e9beefe3e711c52cf04ee
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmV:BeT7BVwxfvEFwjRV

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 45 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 47 IoCs

pid	Process
2728	backup.exe
2572	backup.exe
2696	backup.exe
2472	backup.exe
2488	backup.exe
2540	backup.exe
2300	backup.exe
1896	backup.exe
2852	update.exe
640	backup.exe
1580	backup.exe
1096	data.exe
2640	backup.exe
1536	backup.exe
1192	System Restore.exe
2836	backup.exe
2276	backup.exe
892	backup.exe
2264	backup.exe
1924	backup.exe
1612	backup.exe
1916	backup.exe
1060	backup.exe
2056	backup.exe
2168	backup.exe
1364	backup.exe
680	backup.exe
2076	backup.exe
2176	backup.exe
3052	backup.exe
2692	backup.exe
2464	backup.exe
2416	backup.exe
2792	backup.exe
2576	System Restore.exe
2532	backup.exe
2992	backup.exe
1368	backup.exe
1972	update.exe
2544	data.exe
956	backup.exe
2808	backup.exe
2644	backup.exe
2332	backup.exe
2536	backup.exe
2772	backup.exe
1652	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2472	backup.exe
2488	backup.exe
2488	backup.exe
2540	backup.exe
2540	backup.exe
2488	backup.exe
2488	backup.exe
1896	backup.exe
2852	update.exe
2852	update.exe
2852	update.exe
2852	update.exe
2852	update.exe
640	backup.exe
640	backup.exe
640	backup.exe
1896	backup.exe
1896	backup.exe
1580	backup.exe
1580	backup.exe
1096	data.exe
1096	data.exe
1096	data.exe
1096	data.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
1536	backup.exe
1536	backup.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
1536	backup.exe
1536	backup.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
1536	backup.exe
1536	backup.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
1536	backup.exe
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0028000000015e3d-5.dat	upx
behavioral1/files/0x0028000000015e3d-7.dat	upx
behavioral1/files/0x0028000000015e3d-9.dat	upx
behavioral1/files/0x0028000000015e3d-12.dat	upx
behavioral1/memory/2728-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016062-17.dat	upx
behavioral1/files/0x0008000000016062-19.dat	upx
behavioral1/files/0x0008000000016062-24.dat	upx
behavioral1/memory/2572-28-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016471-29.dat	upx
behavioral1/files/0x0007000000016471-31.dat	upx
behavioral1/files/0x0007000000016471-35.dat	upx
behavioral1/memory/2080-36-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016365-40.dat	upx
behavioral1/files/0x0008000000016365-42.dat	upx
behavioral1/files/0x0008000000016365-46.dat	upx
behavioral1/files/0x0028000000015e3d-49.dat	upx
behavioral1/memory/2728-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016669-56.dat	upx
behavioral1/files/0x0008000000016365-57.dat	upx
behavioral1/files/0x0008000000016669-62.dat	upx
behavioral1/files/0x000800000001681a-63.dat	upx
behavioral1/files/0x0006000000016cd6-65.dat	upx
behavioral1/files/0x0006000000016cd6-72.dat	upx
behavioral1/files/0x0006000000016cd6-67.dat	upx
behavioral1/files/0x0006000000016cd6-75.dat	upx
behavioral1/files/0x0006000000016cf0-79.dat	upx
behavioral1/files/0x0006000000016cf0-84.dat	upx
behavioral1/memory/2696-83-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016cf0-77.dat	upx
behavioral1/memory/2540-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2300-90-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-92.dat	upx
behavioral1/files/0x0006000000016d01-94.dat	upx
behavioral1/files/0x0006000000016d01-99.dat	upx
behavioral1/memory/2472-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2488-102-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-104.dat	upx
behavioral1/memory/2696-106-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016cfc-107.dat	upx
behavioral1/files/0x0007000000016cfc-111.dat	upx
behavioral1/files/0x0007000000016cfc-113.dat	upx
behavioral1/files/0x0007000000016cfc-118.dat	upx
behavioral1/files/0x0007000000016cfc-115.dat	upx
behavioral1/files/0x0007000000016cfc-114.dat	upx
behavioral1/files/0x0006000000016d2e-123.dat	upx
behavioral1/files/0x0006000000016d2e-126.dat	upx
behavioral1/files/0x0006000000016d2e-130.dat	upx
behavioral1/files/0x0006000000016d2e-135.dat	upx
behavioral1/files/0x0006000000016d2e-134.dat	upx
behavioral1/files/0x0006000000016d2e-133.dat	upx
behavioral1/files/0x0006000000016d2e-132.dat	upx
behavioral1/memory/1896-131-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/640-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2852-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d4d-143.dat	upx
behavioral1/files/0x0006000000016d4d-150.dat	upx
behavioral1/files/0x0006000000016d4d-145.dat	upx
behavioral1/files/0x0006000000016d4d-154.dat	upx
behavioral1/files/0x0007000000016d3e-156.dat	upx
behavioral1/files/0x0007000000016d3e-158.dat	upx
behavioral1/files/0x0007000000016d3e-162.dat	upx
behavioral1/files/0x0007000000016d3e-165.dat	upx

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\update.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
2728	backup.exe
2572	backup.exe
2696	backup.exe
2472	backup.exe
2488	backup.exe
2540	backup.exe
2300	backup.exe
1896	backup.exe
2852	update.exe
640	backup.exe
1580	backup.exe
1096	data.exe
2640	backup.exe
1536	backup.exe
1192	System Restore.exe
2836	backup.exe
2276	backup.exe
892	backup.exe
2264	backup.exe
1924	backup.exe
1612	backup.exe
1916	backup.exe
1060	backup.exe
2056	backup.exe
2168	backup.exe
1364	backup.exe
680	backup.exe
2176	backup.exe
2076	backup.exe
3052	backup.exe
2692	backup.exe
2464	backup.exe
2416	backup.exe
2792	backup.exe
2576	System Restore.exe
2532	backup.exe
2992	backup.exe
1368	backup.exe
1972	update.exe
2544	data.exe
956	backup.exe
2808	backup.exe
2644	backup.exe
2332	backup.exe
2536	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2728	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	28
PID 2080 wrote to memory of 2728	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	28
PID 2080 wrote to memory of 2728	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	28
PID 2080 wrote to memory of 2728	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	28
PID 2080 wrote to memory of 2572	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	29
PID 2080 wrote to memory of 2572	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	29
PID 2080 wrote to memory of 2572	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	29
PID 2080 wrote to memory of 2572	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	29
PID 2080 wrote to memory of 2696	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	30
PID 2080 wrote to memory of 2696	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	30
PID 2080 wrote to memory of 2696	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	30
PID 2080 wrote to memory of 2696	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	30
PID 2080 wrote to memory of 2472	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	31
PID 2080 wrote to memory of 2472	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	31
PID 2080 wrote to memory of 2472	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	31
PID 2080 wrote to memory of 2472	2080	NEAS.600222a7a06ce5ff99cdd0dd07016580.exe	31
PID 2728 wrote to memory of 2488	2728	backup.exe	32
PID 2728 wrote to memory of 2488	2728	backup.exe	32
PID 2728 wrote to memory of 2488	2728	backup.exe	32
PID 2728 wrote to memory of 2488	2728	backup.exe	32
PID 2488 wrote to memory of 2540	2488	backup.exe	34
PID 2488 wrote to memory of 2540	2488	backup.exe	34
PID 2488 wrote to memory of 2540	2488	backup.exe	34
PID 2488 wrote to memory of 2540	2488	backup.exe	34
PID 2540 wrote to memory of 2300	2540	backup.exe	35
PID 2540 wrote to memory of 2300	2540	backup.exe	35
PID 2540 wrote to memory of 2300	2540	backup.exe	35
PID 2540 wrote to memory of 2300	2540	backup.exe	35
PID 2488 wrote to memory of 1896	2488	backup.exe	36
PID 2488 wrote to memory of 1896	2488	backup.exe	36
PID 2488 wrote to memory of 1896	2488	backup.exe	36
PID 2488 wrote to memory of 1896	2488	backup.exe	36
PID 1896 wrote to memory of 2852	1896	backup.exe	37
PID 1896 wrote to memory of 2852	1896	backup.exe	37
PID 1896 wrote to memory of 2852	1896	backup.exe	37
PID 1896 wrote to memory of 2852	1896	backup.exe	37
PID 1896 wrote to memory of 2852	1896	backup.exe	37
PID 1896 wrote to memory of 2852	1896	backup.exe	37
PID 1896 wrote to memory of 2852	1896	backup.exe	37
PID 2852 wrote to memory of 640	2852	update.exe	38
PID 2852 wrote to memory of 640	2852	update.exe	38
PID 2852 wrote to memory of 640	2852	update.exe	38
PID 2852 wrote to memory of 640	2852	update.exe	38
PID 2852 wrote to memory of 640	2852	update.exe	38
PID 2852 wrote to memory of 640	2852	update.exe	38
PID 2852 wrote to memory of 640	2852	update.exe	38
PID 1896 wrote to memory of 1580	1896	backup.exe	39
PID 1896 wrote to memory of 1580	1896	backup.exe	39
PID 1896 wrote to memory of 1580	1896	backup.exe	39
PID 1896 wrote to memory of 1580	1896	backup.exe	39
PID 1580 wrote to memory of 1096	1580	backup.exe	40
PID 1580 wrote to memory of 1096	1580	backup.exe	40
PID 1580 wrote to memory of 1096	1580	backup.exe	40
PID 1580 wrote to memory of 1096	1580	backup.exe	40
PID 1096 wrote to memory of 2640	1096	data.exe	41
PID 1096 wrote to memory of 2640	1096	data.exe	41
PID 1096 wrote to memory of 2640	1096	data.exe	41
PID 1096 wrote to memory of 2640	1096	data.exe	41
PID 1096 wrote to memory of 1536	1096	data.exe	42
PID 1096 wrote to memory of 1536	1096	data.exe	42
PID 1096 wrote to memory of 1536	1096	data.exe	42
PID 1096 wrote to memory of 1536	1096	data.exe	42
PID 1536 wrote to memory of 1192	1536	backup.exe	43
PID 1536 wrote to memory of 1192	1536	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.600222a7a06ce5ff99cdd0dd07016580.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.600222a7a06ce5ff99cdd0dd07016580.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\775617629\backup.exe
  C:\Users\Admin\AppData\Local\Temp\775617629\backup.exe C:\Users\Admin\AppData\Local\Temp\775617629\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2728
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2540
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2300
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1896
    - - C:\Program Files\7-Zip\update.exe
        
        "C:\Program Files\7-Zip\update.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2852
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:640
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1580
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1096
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2640
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2264
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1924
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1060
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2168
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2076
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3052
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1368
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:2308
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:2632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2100
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2160
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:3020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2380
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        
        PID:2640
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1360
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2720
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:836
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2956
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:2772
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2896
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2032
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:2524
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\data.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1084
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2744
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:972
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\update.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\update.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2116
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2900
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:2376
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2020
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1412
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:748
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1688
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1680
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:900
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1556
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1464
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1256
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1816
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        
        PID:2972
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2500
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:1640
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:2868
      - C:\Program Files\Internet Explorer\es-ES\data.exe
        
        "C:\Program Files\Internet Explorer\es-ES\data.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:1956
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:2544
      - C:\Program Files\Internet Explorer\images\data.exe
        
        "C:\Program Files\Internet Explorer\images\data.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1996
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1888
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2616
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1936
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:816
        
        C:\Program Files\Microsoft Games\Chess\de-DE\data.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\data.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:1412
      - C:\Program Files\Microsoft Games\FreeCell\update.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\update.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:2828
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:1904
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:1788
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2876
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:2452
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2480
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:564
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1736
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1824
  - - C:\Program Files (x86)\System Restore.exe
      "C:\Program Files (x86)\System Restore.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2576
    - - C:\Program Files (x86)\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\update.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1972
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:1648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2088
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:3056
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:1992
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2072
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:2372
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2968
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2564
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1932
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2176
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2224
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:2592
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1460
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:2396
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2584
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Internet Explorer\ja-JP\System Restore.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\System Restore.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2536
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2812
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        
        PID:2280
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2120
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:920
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2112
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2696
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2964
    - - C:\Program Files (x86)\Microsoft Synchronization Services\update.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\update.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:1128
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1700
    - - C:\Users\Admin\update.exe
        
        C:\Users\Admin\update.exe C:\Users\Admin\
        5⤵
        
        PID:2700
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1732
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2852
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1508
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1088
    - - C:\Users\Public\System Restore.exe
        
        "C:\Users\Public\System Restore.exe" C:\Users\Public\
        5⤵
        
        PID:2776
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1168
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:2484
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1912
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:292
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:2412
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:2732
      - C:\Users\Public\Recorded TV\update.exe
        
        "C:\Users\Public\Recorded TV\update.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2336
      - C:\Users\Public\Videos\System Restore.exe
        
        "C:\Users\Public\Videos\System Restore.exe" C:\Users\Public\Videos\
        6⤵
        
        PID:1908
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2012
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:308
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1376
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:2672
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:1652
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:1776
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe
  C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\
      4⤵
      PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\
      4⤵
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\
      4⤵
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\
      4⤵
      PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\
      4⤵
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\
      4⤵
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\
      4⤵
      PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\
      4⤵
      PID:1328
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\
    3⤵
    PID:436
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\
    3⤵
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\
    3⤵
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\
    3⤵
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\
    3⤵
    PID:1260
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\
    3⤵
    PID:1156
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:680
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
21c0fe2ac334ef3f4f7de7efc052d19b

SHA1
7c396eca70a5a01bd7651e20b772537f8a98ea62

SHA256
35620b1d406a92af160ebd9e222ce59c071ce88607dc6829882d44e2f67e910d

SHA512
1402138847360136217015d5632ebace9a0ec434e58a08087614ca50f54a284aee997210f02d6ad2023442af609031cacb8f9ffb9fb0a545e0787805f451b8b5

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
fb59cab87fb14ee7fb44e2640de1b27f

SHA1
b228ae9d4becfdd298e00048f972ac4defcb5352

SHA256
c3066e3b0f61cace30ff5d3e0279793ffe34be9a1df712dfa0217f4fc1f1e400

SHA512
90123f251680f6b50dfe1005cfb784596282a54f3fc0d9f3fae6dbd62d24d25bb21acdef996a1fbf27ce917829316da07d0619771a11dbe5e2f20a5c142ca4c5

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
fb59cab87fb14ee7fb44e2640de1b27f

SHA1
b228ae9d4becfdd298e00048f972ac4defcb5352

SHA256
c3066e3b0f61cace30ff5d3e0279793ffe34be9a1df712dfa0217f4fc1f1e400

SHA512
90123f251680f6b50dfe1005cfb784596282a54f3fc0d9f3fae6dbd62d24d25bb21acdef996a1fbf27ce917829316da07d0619771a11dbe5e2f20a5c142ca4c5

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
1cb81551e4e7c12f8e34b068da7831cd

SHA1
48382826938e01ab44b4059d0ec44268e0aec251

SHA256
595f3b93b946378a0a6e3438e58f00531d6b48a590687a0fa043660a4ecf1b15

SHA512
b637d23c79a47336b4f468981bee3da9c3bf49e990fb04ccb76adf60c9f245f0f39bc6f03033c238c4b6e079151874020d430e0cfd91ae2229b499d9f353c8de

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
1cb81551e4e7c12f8e34b068da7831cd

SHA1
48382826938e01ab44b4059d0ec44268e0aec251

SHA256
595f3b93b946378a0a6e3438e58f00531d6b48a590687a0fa043660a4ecf1b15

SHA512
b637d23c79a47336b4f468981bee3da9c3bf49e990fb04ccb76adf60c9f245f0f39bc6f03033c238c4b6e079151874020d430e0cfd91ae2229b499d9f353c8de

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
84KB

MD5
e1fdeaa519bce2018409060f4f0203aa

SHA1
8b101aad2e4dbf0f291507e8e43cf327ec58140a

SHA256
a6defd42f4de0b03b1b82226281018a0f76b2a053d23ee753117852594ea5b8e

SHA512
7305c351bbd20d08ecb53b15b3c03b8300c59f04817cc19270fdb79bb3c08e83f6f8e3b8ec78907df56d73950ca02717e0368f98fb877e75878fef1b66998985

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
84KB

MD5
e1fdeaa519bce2018409060f4f0203aa

SHA1
8b101aad2e4dbf0f291507e8e43cf327ec58140a

SHA256
a6defd42f4de0b03b1b82226281018a0f76b2a053d23ee753117852594ea5b8e

SHA512
7305c351bbd20d08ecb53b15b3c03b8300c59f04817cc19270fdb79bb3c08e83f6f8e3b8ec78907df56d73950ca02717e0368f98fb877e75878fef1b66998985

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
239377b4ac242c8d42e48ef0170a2642

SHA1
a85d7ca38e8b618c86ac3e4a0c73ffd1515aad92

SHA256
fbb2aa19832567527c26c760b5a696f4c10b89e68c16381c7a03e49aa324b204

SHA512
f142be33a190b73c147e36c304e3e434cf4c77466d37320aa11043b6beb2a17c9cccdca53d0d6aaedab625b3a988f2bba0b01c47a422f147a55467187ec6a4e1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
84KB

MD5
26986ba33322e8b90f0815514fd1500d

SHA1
14d69019e7519c016017074b629f42bcfc3f6c6b

SHA256
92ee2c4e0d07f85228480a402bacdb39c6b3e8a78b76d25cfc65490a05e95530

SHA512
8d4ee81a24fe1d77b446a2a54cf9408817393739c5de9dbc97000830a349ee6b37fe2ef939f1aa724387f54f454d21aca3fcaa86f28ca16c7036aad959372790

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
84KB

MD5
26986ba33322e8b90f0815514fd1500d

SHA1
14d69019e7519c016017074b629f42bcfc3f6c6b

SHA256
92ee2c4e0d07f85228480a402bacdb39c6b3e8a78b76d25cfc65490a05e95530

SHA512
8d4ee81a24fe1d77b446a2a54cf9408817393739c5de9dbc97000830a349ee6b37fe2ef939f1aa724387f54f454d21aca3fcaa86f28ca16c7036aad959372790

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
84KB

MD5
8605464754ca4102b8c5eb50199c74cb

SHA1
e4249e86b7015dfe125a7f50775bb81daf5aa453

SHA256
b1768530e8ddb60a4e48429f5d3f76585a93d6f61cdb083321a43ea6c6d21426

SHA512
62bf15add02b1b8cec5f77946c6eaad8c8b85e933f515c72c5828f689b99cf100d67e62e1442712761acdeaea6fe1d927ed01dd60307319ab77566cf3f458971

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
be1e6f6a1d5cb91f2e9087d262f14bca

SHA1
a7cf20557a17c247c4bb37af7aa1771d4489b02c

SHA256
3de9a1bd541e70aff73939f98ae6bf8435fe13f1a4c3ef36876fbc3d35f439ee

SHA512
e84ffa233c34270c3fb0d4fa1c3db3d7c81524e4321f438783d06fbfb6c69f99f7f1869637ab1b8fc8a196c80bcf4c611e67146e675972a40e327d63f1947910

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
be1e6f6a1d5cb91f2e9087d262f14bca

SHA1
a7cf20557a17c247c4bb37af7aa1771d4489b02c

SHA256
3de9a1bd541e70aff73939f98ae6bf8435fe13f1a4c3ef36876fbc3d35f439ee

SHA512
e84ffa233c34270c3fb0d4fa1c3db3d7c81524e4321f438783d06fbfb6c69f99f7f1869637ab1b8fc8a196c80bcf4c611e67146e675972a40e327d63f1947910

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
8605464754ca4102b8c5eb50199c74cb

SHA1
e4249e86b7015dfe125a7f50775bb81daf5aa453

SHA256
b1768530e8ddb60a4e48429f5d3f76585a93d6f61cdb083321a43ea6c6d21426

SHA512
62bf15add02b1b8cec5f77946c6eaad8c8b85e933f515c72c5828f689b99cf100d67e62e1442712761acdeaea6fe1d927ed01dd60307319ab77566cf3f458971

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
16a2ab8b031ffd1fbddc77fe08c4a220

SHA1
492d0c7cec562e8a597242179a86f26f2ae321c9

SHA256
93e380b2b9bcaef22a4213185465501c4a7b05987f3aa3790f76c5dda0646a61

SHA512
3326efefea12ae04a5ba5e0bf98aba9436a704709a4a3d055b9fa27f71606152d31866bed09e138e53d590d8152c5e74b1c1512c22f7d6a583d950ad5c1ea4e8

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
16a2ab8b031ffd1fbddc77fe08c4a220

SHA1
492d0c7cec562e8a597242179a86f26f2ae321c9

SHA256
93e380b2b9bcaef22a4213185465501c4a7b05987f3aa3790f76c5dda0646a61

SHA512
3326efefea12ae04a5ba5e0bf98aba9436a704709a4a3d055b9fa27f71606152d31866bed09e138e53d590d8152c5e74b1c1512c22f7d6a583d950ad5c1ea4e8

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
fbe4e2dac784aa84334a76b0c55a661d

SHA1
b70cdcf7bcd82c79cb3a8f11ba33afa3c7ffd6d8

SHA256
1cf9c435e54df686929cfe0cff834424e05b55cadea3d6199cf5ff7e6e184ed1

SHA512
03b20ab0f3ca1d360cfedc457efd113a7ae72aecdf27fe37de97db7c9fb53f9ac6eceb5163722e225ebb66530851dd8060c882668e78d53bd777f09414f2e8fe

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
fbe4e2dac784aa84334a76b0c55a661d

SHA1
b70cdcf7bcd82c79cb3a8f11ba33afa3c7ffd6d8

SHA256
1cf9c435e54df686929cfe0cff834424e05b55cadea3d6199cf5ff7e6e184ed1

SHA512
03b20ab0f3ca1d360cfedc457efd113a7ae72aecdf27fe37de97db7c9fb53f9ac6eceb5163722e225ebb66530851dd8060c882668e78d53bd777f09414f2e8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\775617629\backup.exe

Filesize
84KB

MD5
07dc2a4d6ea24a67357c41fac1927170

SHA1
4a9aaafe61354dcfa1ec3518f0c9c06549a3a2c8

SHA256
afcc35bad96611635574f31e9ad4f2b22963d129710c354943099ac463a41a68

SHA512
13994fa4f94c0f178a7746ca9096092d3007086a6f19421fc9687655146d2cff0080d01ebbb357e68d1d407445d759f63c1779adabec49c9119f3c8ad4f6720f

Download Submit
C:\Users\Admin\AppData\Local\Temp\775617629\backup.exe

Filesize
84KB

MD5
07dc2a4d6ea24a67357c41fac1927170

SHA1
4a9aaafe61354dcfa1ec3518f0c9c06549a3a2c8

SHA256
afcc35bad96611635574f31e9ad4f2b22963d129710c354943099ac463a41a68

SHA512
13994fa4f94c0f178a7746ca9096092d3007086a6f19421fc9687655146d2cff0080d01ebbb357e68d1d407445d759f63c1779adabec49c9119f3c8ad4f6720f

Download Submit
C:\Users\Admin\AppData\Local\Temp\775617629\backup.exe

Filesize
84KB

MD5
07dc2a4d6ea24a67357c41fac1927170

SHA1
4a9aaafe61354dcfa1ec3518f0c9c06549a3a2c8

SHA256
afcc35bad96611635574f31e9ad4f2b22963d129710c354943099ac463a41a68

SHA512
13994fa4f94c0f178a7746ca9096092d3007086a6f19421fc9687655146d2cff0080d01ebbb357e68d1d407445d759f63c1779adabec49c9119f3c8ad4f6720f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
C:\backup.exe

Filesize
84KB

MD5
8a6e55e934ef3f6901e7736ad625dcc4

SHA1
34b1b3cf78d9f5de9504b92a06fa4cae379d4b78

SHA256
44b85147a0cfc0b637854a956836f6eb936cd1b7e388126f9f315aa24e648546

SHA512
feaba498e88dab9d06e5d6a982f33142bd8ba01cd74e38b7cd64a016447dbac5ef90faf30229488b258d87fd89abed727f89ed886e192786b5be2f8701ca63cd

Download Submit
C:\backup.exe

Filesize
84KB

MD5
8a6e55e934ef3f6901e7736ad625dcc4

SHA1
34b1b3cf78d9f5de9504b92a06fa4cae379d4b78

SHA256
44b85147a0cfc0b637854a956836f6eb936cd1b7e388126f9f315aa24e648546

SHA512
feaba498e88dab9d06e5d6a982f33142bd8ba01cd74e38b7cd64a016447dbac5ef90faf30229488b258d87fd89abed727f89ed886e192786b5be2f8701ca63cd

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
21c0fe2ac334ef3f4f7de7efc052d19b

SHA1
7c396eca70a5a01bd7651e20b772537f8a98ea62

SHA256
35620b1d406a92af160ebd9e222ce59c071ce88607dc6829882d44e2f67e910d

SHA512
1402138847360136217015d5632ebace9a0ec434e58a08087614ca50f54a284aee997210f02d6ad2023442af609031cacb8f9ffb9fb0a545e0787805f451b8b5

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
21c0fe2ac334ef3f4f7de7efc052d19b

SHA1
7c396eca70a5a01bd7651e20b772537f8a98ea62

SHA256
35620b1d406a92af160ebd9e222ce59c071ce88607dc6829882d44e2f67e910d

SHA512
1402138847360136217015d5632ebace9a0ec434e58a08087614ca50f54a284aee997210f02d6ad2023442af609031cacb8f9ffb9fb0a545e0787805f451b8b5

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
fb59cab87fb14ee7fb44e2640de1b27f

SHA1
b228ae9d4becfdd298e00048f972ac4defcb5352

SHA256
c3066e3b0f61cace30ff5d3e0279793ffe34be9a1df712dfa0217f4fc1f1e400

SHA512
90123f251680f6b50dfe1005cfb784596282a54f3fc0d9f3fae6dbd62d24d25bb21acdef996a1fbf27ce917829316da07d0619771a11dbe5e2f20a5c142ca4c5

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
fb59cab87fb14ee7fb44e2640de1b27f

SHA1
b228ae9d4becfdd298e00048f972ac4defcb5352

SHA256
c3066e3b0f61cace30ff5d3e0279793ffe34be9a1df712dfa0217f4fc1f1e400

SHA512
90123f251680f6b50dfe1005cfb784596282a54f3fc0d9f3fae6dbd62d24d25bb21acdef996a1fbf27ce917829316da07d0619771a11dbe5e2f20a5c142ca4c5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
1cb81551e4e7c12f8e34b068da7831cd

SHA1
48382826938e01ab44b4059d0ec44268e0aec251

SHA256
595f3b93b946378a0a6e3438e58f00531d6b48a590687a0fa043660a4ecf1b15

SHA512
b637d23c79a47336b4f468981bee3da9c3bf49e990fb04ccb76adf60c9f245f0f39bc6f03033c238c4b6e079151874020d430e0cfd91ae2229b499d9f353c8de

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
1cb81551e4e7c12f8e34b068da7831cd

SHA1
48382826938e01ab44b4059d0ec44268e0aec251

SHA256
595f3b93b946378a0a6e3438e58f00531d6b48a590687a0fa043660a4ecf1b15

SHA512
b637d23c79a47336b4f468981bee3da9c3bf49e990fb04ccb76adf60c9f245f0f39bc6f03033c238c4b6e079151874020d430e0cfd91ae2229b499d9f353c8de

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
1cb81551e4e7c12f8e34b068da7831cd

SHA1
48382826938e01ab44b4059d0ec44268e0aec251

SHA256
595f3b93b946378a0a6e3438e58f00531d6b48a590687a0fa043660a4ecf1b15

SHA512
b637d23c79a47336b4f468981bee3da9c3bf49e990fb04ccb76adf60c9f245f0f39bc6f03033c238c4b6e079151874020d430e0cfd91ae2229b499d9f353c8de

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
1cb81551e4e7c12f8e34b068da7831cd

SHA1
48382826938e01ab44b4059d0ec44268e0aec251

SHA256
595f3b93b946378a0a6e3438e58f00531d6b48a590687a0fa043660a4ecf1b15

SHA512
b637d23c79a47336b4f468981bee3da9c3bf49e990fb04ccb76adf60c9f245f0f39bc6f03033c238c4b6e079151874020d430e0cfd91ae2229b499d9f353c8de

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
1cb81551e4e7c12f8e34b068da7831cd

SHA1
48382826938e01ab44b4059d0ec44268e0aec251

SHA256
595f3b93b946378a0a6e3438e58f00531d6b48a590687a0fa043660a4ecf1b15

SHA512
b637d23c79a47336b4f468981bee3da9c3bf49e990fb04ccb76adf60c9f245f0f39bc6f03033c238c4b6e079151874020d430e0cfd91ae2229b499d9f353c8de

Download Submit
\Program Files\7-Zip\update.exe

Filesize
84KB

MD5
e1fdeaa519bce2018409060f4f0203aa

SHA1
8b101aad2e4dbf0f291507e8e43cf327ec58140a

SHA256
a6defd42f4de0b03b1b82226281018a0f76b2a053d23ee753117852594ea5b8e

SHA512
7305c351bbd20d08ecb53b15b3c03b8300c59f04817cc19270fdb79bb3c08e83f6f8e3b8ec78907df56d73950ca02717e0368f98fb877e75878fef1b66998985

Download Submit
\Program Files\7-Zip\update.exe

Filesize
84KB

MD5
e1fdeaa519bce2018409060f4f0203aa

SHA1
8b101aad2e4dbf0f291507e8e43cf327ec58140a

SHA256
a6defd42f4de0b03b1b82226281018a0f76b2a053d23ee753117852594ea5b8e

SHA512
7305c351bbd20d08ecb53b15b3c03b8300c59f04817cc19270fdb79bb3c08e83f6f8e3b8ec78907df56d73950ca02717e0368f98fb877e75878fef1b66998985

Download Submit
\Program Files\7-Zip\update.exe

Filesize
84KB

MD5
e1fdeaa519bce2018409060f4f0203aa

SHA1
8b101aad2e4dbf0f291507e8e43cf327ec58140a

SHA256
a6defd42f4de0b03b1b82226281018a0f76b2a053d23ee753117852594ea5b8e

SHA512
7305c351bbd20d08ecb53b15b3c03b8300c59f04817cc19270fdb79bb3c08e83f6f8e3b8ec78907df56d73950ca02717e0368f98fb877e75878fef1b66998985

Download Submit
\Program Files\7-Zip\update.exe

Filesize
84KB

MD5
e1fdeaa519bce2018409060f4f0203aa

SHA1
8b101aad2e4dbf0f291507e8e43cf327ec58140a

SHA256
a6defd42f4de0b03b1b82226281018a0f76b2a053d23ee753117852594ea5b8e

SHA512
7305c351bbd20d08ecb53b15b3c03b8300c59f04817cc19270fdb79bb3c08e83f6f8e3b8ec78907df56d73950ca02717e0368f98fb877e75878fef1b66998985

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
239377b4ac242c8d42e48ef0170a2642

SHA1
a85d7ca38e8b618c86ac3e4a0c73ffd1515aad92

SHA256
fbb2aa19832567527c26c760b5a696f4c10b89e68c16381c7a03e49aa324b204

SHA512
f142be33a190b73c147e36c304e3e434cf4c77466d37320aa11043b6beb2a17c9cccdca53d0d6aaedab625b3a988f2bba0b01c47a422f147a55467187ec6a4e1

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
239377b4ac242c8d42e48ef0170a2642

SHA1
a85d7ca38e8b618c86ac3e4a0c73ffd1515aad92

SHA256
fbb2aa19832567527c26c760b5a696f4c10b89e68c16381c7a03e49aa324b204

SHA512
f142be33a190b73c147e36c304e3e434cf4c77466d37320aa11043b6beb2a17c9cccdca53d0d6aaedab625b3a988f2bba0b01c47a422f147a55467187ec6a4e1

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
84KB

MD5
26986ba33322e8b90f0815514fd1500d

SHA1
14d69019e7519c016017074b629f42bcfc3f6c6b

SHA256
92ee2c4e0d07f85228480a402bacdb39c6b3e8a78b76d25cfc65490a05e95530

SHA512
8d4ee81a24fe1d77b446a2a54cf9408817393739c5de9dbc97000830a349ee6b37fe2ef939f1aa724387f54f454d21aca3fcaa86f28ca16c7036aad959372790

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
84KB

MD5
26986ba33322e8b90f0815514fd1500d

SHA1
14d69019e7519c016017074b629f42bcfc3f6c6b

SHA256
92ee2c4e0d07f85228480a402bacdb39c6b3e8a78b76d25cfc65490a05e95530

SHA512
8d4ee81a24fe1d77b446a2a54cf9408817393739c5de9dbc97000830a349ee6b37fe2ef939f1aa724387f54f454d21aca3fcaa86f28ca16c7036aad959372790

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
84KB

MD5
8605464754ca4102b8c5eb50199c74cb

SHA1
e4249e86b7015dfe125a7f50775bb81daf5aa453

SHA256
b1768530e8ddb60a4e48429f5d3f76585a93d6f61cdb083321a43ea6c6d21426

SHA512
62bf15add02b1b8cec5f77946c6eaad8c8b85e933f515c72c5828f689b99cf100d67e62e1442712761acdeaea6fe1d927ed01dd60307319ab77566cf3f458971

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe

Filesize
84KB

MD5
8605464754ca4102b8c5eb50199c74cb

SHA1
e4249e86b7015dfe125a7f50775bb81daf5aa453

SHA256
b1768530e8ddb60a4e48429f5d3f76585a93d6f61cdb083321a43ea6c6d21426

SHA512
62bf15add02b1b8cec5f77946c6eaad8c8b85e933f515c72c5828f689b99cf100d67e62e1442712761acdeaea6fe1d927ed01dd60307319ab77566cf3f458971

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
be1e6f6a1d5cb91f2e9087d262f14bca

SHA1
a7cf20557a17c247c4bb37af7aa1771d4489b02c

SHA256
3de9a1bd541e70aff73939f98ae6bf8435fe13f1a4c3ef36876fbc3d35f439ee

SHA512
e84ffa233c34270c3fb0d4fa1c3db3d7c81524e4321f438783d06fbfb6c69f99f7f1869637ab1b8fc8a196c80bcf4c611e67146e675972a40e327d63f1947910

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
be1e6f6a1d5cb91f2e9087d262f14bca

SHA1
a7cf20557a17c247c4bb37af7aa1771d4489b02c

SHA256
3de9a1bd541e70aff73939f98ae6bf8435fe13f1a4c3ef36876fbc3d35f439ee

SHA512
e84ffa233c34270c3fb0d4fa1c3db3d7c81524e4321f438783d06fbfb6c69f99f7f1869637ab1b8fc8a196c80bcf4c611e67146e675972a40e327d63f1947910

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
8605464754ca4102b8c5eb50199c74cb

SHA1
e4249e86b7015dfe125a7f50775bb81daf5aa453

SHA256
b1768530e8ddb60a4e48429f5d3f76585a93d6f61cdb083321a43ea6c6d21426

SHA512
62bf15add02b1b8cec5f77946c6eaad8c8b85e933f515c72c5828f689b99cf100d67e62e1442712761acdeaea6fe1d927ed01dd60307319ab77566cf3f458971

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
8605464754ca4102b8c5eb50199c74cb

SHA1
e4249e86b7015dfe125a7f50775bb81daf5aa453

SHA256
b1768530e8ddb60a4e48429f5d3f76585a93d6f61cdb083321a43ea6c6d21426

SHA512
62bf15add02b1b8cec5f77946c6eaad8c8b85e933f515c72c5828f689b99cf100d67e62e1442712761acdeaea6fe1d927ed01dd60307319ab77566cf3f458971

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
517fbecae03cb58daf7a9a9edf79ace7

SHA1
55cba5388f917adfa700afc8cf2a2c2ae7fd9a6d

SHA256
1090831744efbbaa8c1f9b0b1051349aa126b2de7a60af4a73ae475debe74af5

SHA512
485d6d57d4e6cf671355ce3d72a075346e32625a0c6138a64b0a7928bd7d0f323603044e23368cf15e73ab4c0f464871ae14735d3b55b5fae7310a960643aec4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
517fbecae03cb58daf7a9a9edf79ace7

SHA1
55cba5388f917adfa700afc8cf2a2c2ae7fd9a6d

SHA256
1090831744efbbaa8c1f9b0b1051349aa126b2de7a60af4a73ae475debe74af5

SHA512
485d6d57d4e6cf671355ce3d72a075346e32625a0c6138a64b0a7928bd7d0f323603044e23368cf15e73ab4c0f464871ae14735d3b55b5fae7310a960643aec4

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
16a2ab8b031ffd1fbddc77fe08c4a220

SHA1
492d0c7cec562e8a597242179a86f26f2ae321c9

SHA256
93e380b2b9bcaef22a4213185465501c4a7b05987f3aa3790f76c5dda0646a61

SHA512
3326efefea12ae04a5ba5e0bf98aba9436a704709a4a3d055b9fa27f71606152d31866bed09e138e53d590d8152c5e74b1c1512c22f7d6a583d950ad5c1ea4e8

Download Submit
\Program Files\Common Files\backup.exe

Filesize
84KB

MD5
16a2ab8b031ffd1fbddc77fe08c4a220

SHA1
492d0c7cec562e8a597242179a86f26f2ae321c9

SHA256
93e380b2b9bcaef22a4213185465501c4a7b05987f3aa3790f76c5dda0646a61

SHA512
3326efefea12ae04a5ba5e0bf98aba9436a704709a4a3d055b9fa27f71606152d31866bed09e138e53d590d8152c5e74b1c1512c22f7d6a583d950ad5c1ea4e8

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
fbe4e2dac784aa84334a76b0c55a661d

SHA1
b70cdcf7bcd82c79cb3a8f11ba33afa3c7ffd6d8

SHA256
1cf9c435e54df686929cfe0cff834424e05b55cadea3d6199cf5ff7e6e184ed1

SHA512
03b20ab0f3ca1d360cfedc457efd113a7ae72aecdf27fe37de97db7c9fb53f9ac6eceb5163722e225ebb66530851dd8060c882668e78d53bd777f09414f2e8fe

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
fbe4e2dac784aa84334a76b0c55a661d

SHA1
b70cdcf7bcd82c79cb3a8f11ba33afa3c7ffd6d8

SHA256
1cf9c435e54df686929cfe0cff834424e05b55cadea3d6199cf5ff7e6e184ed1

SHA512
03b20ab0f3ca1d360cfedc457efd113a7ae72aecdf27fe37de97db7c9fb53f9ac6eceb5163722e225ebb66530851dd8060c882668e78d53bd777f09414f2e8fe

Download Submit
\Users\Admin\AppData\Local\Temp\775617629\backup.exe

Filesize
84KB

MD5
07dc2a4d6ea24a67357c41fac1927170

SHA1
4a9aaafe61354dcfa1ec3518f0c9c06549a3a2c8

SHA256
afcc35bad96611635574f31e9ad4f2b22963d129710c354943099ac463a41a68

SHA512
13994fa4f94c0f178a7746ca9096092d3007086a6f19421fc9687655146d2cff0080d01ebbb357e68d1d407445d759f63c1779adabec49c9119f3c8ad4f6720f

Download Submit
\Users\Admin\AppData\Local\Temp\775617629\backup.exe

Filesize
84KB

MD5
07dc2a4d6ea24a67357c41fac1927170

SHA1
4a9aaafe61354dcfa1ec3518f0c9c06549a3a2c8

SHA256
afcc35bad96611635574f31e9ad4f2b22963d129710c354943099ac463a41a68

SHA512
13994fa4f94c0f178a7746ca9096092d3007086a6f19421fc9687655146d2cff0080d01ebbb357e68d1d407445d759f63c1779adabec49c9119f3c8ad4f6720f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
b8e5f929739a147f079ab3514f2966f0

SHA1
9d114012448b666b5e6ca1f3da15b492d2b5de90

SHA256
ed5c91b0203842b48e40d4a0ebce958922dc360f3ea2f61bb464324dfb9b110e

SHA512
1b35a05718f7a325764dd9fbb4bd73e6a7d09ccfb4663609db96a064b1a3977e82f645c0d859d961bc858cb6ce4e470dfb0e3e6fed6b0f7a4a7bb39654b3977c

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
84KB

MD5
f83f3e83714044a2d3b18cc270c686e5

SHA1
1edda4cfaa80437e49f33042baf24c883dd45196

SHA256
b21d31bb34332d7e0583be548667cc0d75125ee89da7d1b2fbfa4cb66ec4e510

SHA512
6f0b3dd29d074e28eecaf9935da5b8f5f4b8917e5cfcf782bdf1329b2546c700a7600aba751b305c0773ebb68dc2778c701315e1cd1b92fc8ad613f9b7098607

Download Submit
memory/640-137-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/640-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/640-136-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/892-237-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1060-296-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1096-234-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/1096-169-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/1096-213-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1096-174-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/1192-203-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1364-316-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1536-245-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-200-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-265-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-283-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-254-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-255-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-224-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-233-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-243-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1536-242-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1580-207-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/1580-198-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1612-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1896-187-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1896-131-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1896-151-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1896-149-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1916-282-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1924-259-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2056-302-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2080-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2080-314-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2080-313-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2080-11-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2080-290-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2080-268-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2080-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2080-23-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2264-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2276-228-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2300-90-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2472-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2488-124-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2488-100-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2488-112-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2488-102-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2488-71-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2540-85-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2540-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2540-86-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2572-28-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2640-180-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2696-106-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2696-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2728-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2728-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2728-109-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2728-60-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2836-217-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-117-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2852-119-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2852-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-116-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads