cd84b36f1a4f07f4918cb4413789e805023633037f118ed8195ea90d7269abd8

Analysis

max time kernel
127s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16-10-2023 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.22682237925f98c484bae7dfb0438690_JC.exe
Size

72KB
MD5

22682237925f98c484bae7dfb0438690
SHA1

96dfe4480857081cc0a7b6c4a892337ed441a89d
SHA256

cd84b36f1a4f07f4918cb4413789e805023633037f118ed8195ea90d7269abd8
SHA512

e676f6939b60acf66f17686bab6502778e37c2df2f48bb28e932d19404f69fb62835a6ee06006f5d27b964d4f293977ff97c51461791b3085dae5489377d0672
SSDEEP

768:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrTd/+I9P:HeT7BVwxfvqguKp+SP

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2512	backup.exe
2696	backup.exe
2616	backup.exe
2524	backup.exe
2552	backup.exe
2412	backup.exe
2936	backup.exe
2820	backup.exe
2572	backup.exe
524	backup.exe
852	data.exe
1196	backup.exe
1200	backup.exe
2060	backup.exe
2016	backup.exe
2096	backup.exe
1144	update.exe
2276	backup.exe
1536	backup.exe
1604	backup.exe
1668	backup.exe
864	backup.exe
1068	backup.exe
1748	backup.exe
328	backup.exe
2140	backup.exe
872	backup.exe
976	backup.exe
1044	backup.exe
2416	backup.exe
2656	backup.exe
2756	data.exe
2528	backup.exe
2696	backup.exe
2568	backup.exe
2672	backup.exe
3040	backup.exe
2884	update.exe
2892	backup.exe
2288	backup.exe
1516	backup.exe
1620	backup.exe
2856	backup.exe
660	backup.exe
536	backup.exe
1500	backup.exe
1508	backup.exe
584	backup.exe
1372	backup.exe
1108	backup.exe
2848	backup.exe
780	backup.exe
2144	backup.exe
1432	backup.exe
2388	backup.exe
2264	backup.exe
1936	backup.exe
692	backup.exe
2996	backup.exe
1248	backup.exe
596	backup.exe
3052	backup.exe
2192	data.exe
2960	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2820	backup.exe
2820	backup.exe
2572	backup.exe
2572	backup.exe
2820	backup.exe
2820	backup.exe
852	data.exe
852	data.exe
1196	backup.exe
1196	backup.exe
852	data.exe
852	data.exe
2060	backup.exe
2060	backup.exe
2016	backup.exe
2016	backup.exe
2016	backup.exe
1144	update.exe
1144	update.exe
1144	update.exe
1144	update.exe
1144	update.exe
2276	backup.exe
2276	backup.exe
2276	backup.exe
1144	update.exe
1144	update.exe
1536	backup.exe
1536	backup.exe
1536	backup.exe
1144	update.exe
1144	update.exe
1604	backup.exe
1604	backup.exe
1604	backup.exe
1144	update.exe
1144	update.exe
1668	backup.exe
1668	backup.exe
1668	backup.exe
1144	update.exe
1144	update.exe
864	backup.exe
864	backup.exe
864	backup.exe
1144	update.exe
1144	update.exe
1068	backup.exe
1068	backup.exe
1068	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	data.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	update.exe
File opened for modification	C:\Program Files\Google\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
2512	backup.exe
2696	backup.exe
2616	backup.exe
2524	backup.exe
2552	backup.exe
2412	backup.exe
2936	backup.exe
2820	backup.exe
2572	backup.exe
524	backup.exe
852	data.exe
1196	backup.exe
1200	backup.exe
2060	backup.exe
2016	backup.exe
2096	backup.exe
1144	update.exe
2276	backup.exe
1536	backup.exe
1604	backup.exe
1668	backup.exe
864	backup.exe
1068	backup.exe
1748	backup.exe
328	backup.exe
2140	backup.exe
872	backup.exe
976	backup.exe
1044	backup.exe
2416	backup.exe
2656	backup.exe
2756	data.exe
2528	backup.exe
2696	backup.exe
2568	backup.exe
2672	backup.exe
3040	backup.exe
2892	backup.exe
2884	update.exe
2288	backup.exe
1620	backup.exe
2856	backup.exe
1516	backup.exe
536	backup.exe
1500	backup.exe
660	backup.exe
1508	backup.exe
584	backup.exe
1372	backup.exe
1108	backup.exe
2848	backup.exe
1936	backup.exe
2388	backup.exe
2996	backup.exe
780	backup.exe
1248	backup.exe
1432	backup.exe
692	backup.exe
2264	backup.exe
596	backup.exe
2192	data.exe
3052	backup.exe
1920	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2512	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	29
PID 2768 wrote to memory of 2512	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	29
PID 2768 wrote to memory of 2512	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	29
PID 2768 wrote to memory of 2512	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	29
PID 2768 wrote to memory of 2696	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	30
PID 2768 wrote to memory of 2696	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	30
PID 2768 wrote to memory of 2696	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	30
PID 2768 wrote to memory of 2696	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	30
PID 2768 wrote to memory of 2616	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	31
PID 2768 wrote to memory of 2616	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	31
PID 2768 wrote to memory of 2616	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	31
PID 2768 wrote to memory of 2616	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	31
PID 2768 wrote to memory of 2524	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	32
PID 2768 wrote to memory of 2524	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	32
PID 2768 wrote to memory of 2524	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	32
PID 2768 wrote to memory of 2524	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	32
PID 2768 wrote to memory of 2552	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	33
PID 2768 wrote to memory of 2552	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	33
PID 2768 wrote to memory of 2552	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	33
PID 2768 wrote to memory of 2552	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	33
PID 2768 wrote to memory of 2412	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	34
PID 2768 wrote to memory of 2412	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	34
PID 2768 wrote to memory of 2412	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	34
PID 2768 wrote to memory of 2412	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	34
PID 2768 wrote to memory of 2936	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	35
PID 2768 wrote to memory of 2936	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	35
PID 2768 wrote to memory of 2936	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	35
PID 2768 wrote to memory of 2936	2768	NEAS.22682237925f98c484bae7dfb0438690_JC.exe	35
PID 2512 wrote to memory of 2820	2512	backup.exe	36
PID 2512 wrote to memory of 2820	2512	backup.exe	36
PID 2512 wrote to memory of 2820	2512	backup.exe	36
PID 2512 wrote to memory of 2820	2512	backup.exe	36
PID 2820 wrote to memory of 2572	2820	backup.exe	37
PID 2820 wrote to memory of 2572	2820	backup.exe	37
PID 2820 wrote to memory of 2572	2820	backup.exe	37
PID 2820 wrote to memory of 2572	2820	backup.exe	37
PID 2572 wrote to memory of 524	2572	backup.exe	38
PID 2572 wrote to memory of 524	2572	backup.exe	38
PID 2572 wrote to memory of 524	2572	backup.exe	38
PID 2572 wrote to memory of 524	2572	backup.exe	38
PID 2820 wrote to memory of 852	2820	backup.exe	39
PID 2820 wrote to memory of 852	2820	backup.exe	39
PID 2820 wrote to memory of 852	2820	backup.exe	39
PID 2820 wrote to memory of 852	2820	backup.exe	39
PID 852 wrote to memory of 1196	852	data.exe	40
PID 852 wrote to memory of 1196	852	data.exe	40
PID 852 wrote to memory of 1196	852	data.exe	40
PID 852 wrote to memory of 1196	852	data.exe	40
PID 1196 wrote to memory of 1200	1196	backup.exe	41
PID 1196 wrote to memory of 1200	1196	backup.exe	41
PID 1196 wrote to memory of 1200	1196	backup.exe	41
PID 1196 wrote to memory of 1200	1196	backup.exe	41
PID 852 wrote to memory of 2060	852	data.exe	42
PID 852 wrote to memory of 2060	852	data.exe	42
PID 852 wrote to memory of 2060	852	data.exe	42
PID 852 wrote to memory of 2060	852	data.exe	42
PID 2060 wrote to memory of 2016	2060	backup.exe	43
PID 2060 wrote to memory of 2016	2060	backup.exe	43
PID 2060 wrote to memory of 2016	2060	backup.exe	43
PID 2060 wrote to memory of 2016	2060	backup.exe	43
PID 2016 wrote to memory of 2096	2016	backup.exe	44
PID 2016 wrote to memory of 2096	2016	backup.exe	44
PID 2016 wrote to memory of 2096	2016	backup.exe	44
PID 2016 wrote to memory of 2096	2016	backup.exe	44

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.22682237925f98c484bae7dfb0438690_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.22682237925f98c484bae7dfb0438690_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.22682237925f98c484bae7dfb0438690_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768
- C:\Users\Admin\AppData\Local\Temp\2326880575\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2326880575\backup.exe C:\Users\Admin\AppData\Local\Temp\2326880575\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2512
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2820
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2572
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:524
  - - C:\Program Files\data.exe
      "C:\Program Files\data.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:852
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1196
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1200
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2096
        
        C:\Program Files\Common Files\Microsoft Shared\ink\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1144
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1068
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:328
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:872
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2416
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2656
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        
        PID:2684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:1496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2208
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:272
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:2092
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:308
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1508
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1228
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:584
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1724
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1640
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:2724
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:2976
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:2416
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:2440
        
        C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2220
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1036
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2396
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3040
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2856
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2264
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:596
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2628
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2544
        
        C:\Program Files\Common Files\System\ado\en-US\data.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\data.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:1312
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1068
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:904
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2468
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2520
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:784
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1656
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1804
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1460
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1676
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:992
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2568
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:660
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2996
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1588
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1628
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1256
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1248
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:2176
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1516
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2388
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3052
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:2952
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        
        PID:2308
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:2356
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:2908
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2928
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1432
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1864
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        
        PID:2232
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:1136
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1712
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:2900
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2632
      - C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2168
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2196
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1480
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:2548
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:2336
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:1192
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:964
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2400
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        
        PID:2872
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        
        PID:960
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:444
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1604
    - - C:\Program Files\Mozilla Firefox\data.exe
        
        "C:\Program Files\Mozilla Firefox\data.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1900
    - - C:\Program Files\MSBuild\update.exe
        
        "C:\Program Files\MSBuild\update.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:924
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1936
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2736
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2672
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1500
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2848
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2136
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:864
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2200
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:916
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:872
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2916
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:816
    - - C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\System Restore.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2712
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1384
      - C:\Program Files (x86)\Microsoft Office\CLIPART\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\System Restore.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        
        PID:1248
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:328
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2492
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1620
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2484
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2276
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2556
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:1348
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2508
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:576
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:684
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1572
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1700
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:2640
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:1868
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      PID:2144
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1282eb10a42a98baf23df6c7b653583f

SHA1
87b349c2393dfa3c53cdc5f1f3c66ce93dbfe271

SHA256
3acd5fad8815e1f540452a9811c8ebd8663046f7fa53e6b4e14bf479e6075bf2

SHA512
deef693793b120db4c9ac26162675c9a4b547ec1b4f9a7aec2922098c8d94458ce83e3d70b6b6ccee7a757d8ad318edc637c57dcf0dadeb7a39d35c4882493dd

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
07dd8691fdc9fea2d8ecf62e9503ff6f

SHA1
9cd0e4892e0413c1d663b8f56aef8381258755c9

SHA256
8d72250c6562c29e7c550305b853415fc47e804fc0e48f8b8058f0db1c886ec0

SHA512
6f16bf6650c2aeb8cf749f284855f0049a4723db874893c7f36e26afafb088702d22665eae78e035b2a7f2ee18ebb588ff46650c53b7bcfe284bf064741cdb9e

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
07dd8691fdc9fea2d8ecf62e9503ff6f

SHA1
9cd0e4892e0413c1d663b8f56aef8381258755c9

SHA256
8d72250c6562c29e7c550305b853415fc47e804fc0e48f8b8058f0db1c886ec0

SHA512
6f16bf6650c2aeb8cf749f284855f0049a4723db874893c7f36e26afafb088702d22665eae78e035b2a7f2ee18ebb588ff46650c53b7bcfe284bf064741cdb9e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
07dd8691fdc9fea2d8ecf62e9503ff6f

SHA1
9cd0e4892e0413c1d663b8f56aef8381258755c9

SHA256
8d72250c6562c29e7c550305b853415fc47e804fc0e48f8b8058f0db1c886ec0

SHA512
6f16bf6650c2aeb8cf749f284855f0049a4723db874893c7f36e26afafb088702d22665eae78e035b2a7f2ee18ebb588ff46650c53b7bcfe284bf064741cdb9e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f25315266da84c4b93eb7f3795f227f7

SHA1
8130a882e00e476a0e037cdcccc5dd8fd744c247

SHA256
87baecbb6dfe5aa6ac6260e8223ccfef376ed3fb707b51cc7f29a3af6e65961d

SHA512
e94f6f7ac2f299c9edb1432e4757f54329255ecb32725d3feee113854af72c80f6496e6b6ff7d1b09f638ec6a723296a7b19b111aec47a5bd4a22d1a4dd34c88

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f25315266da84c4b93eb7f3795f227f7

SHA1
8130a882e00e476a0e037cdcccc5dd8fd744c247

SHA256
87baecbb6dfe5aa6ac6260e8223ccfef376ed3fb707b51cc7f29a3af6e65961d

SHA512
e94f6f7ac2f299c9edb1432e4757f54329255ecb32725d3feee113854af72c80f6496e6b6ff7d1b09f638ec6a723296a7b19b111aec47a5bd4a22d1a4dd34c88

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
C:\Program Files\data.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2326880575\backup.exe

Filesize
72KB

MD5
529474c90fc94ee67ac475f8f314b6bb

SHA1
f18be0b2e4b968c4a7fbf7edcf53c3cc3c804d96

SHA256
efdba535499949a8f77fcce8366f11f6dff7c84d2e1ea3e88a373b36f9941b1e

SHA512
446f81f28ed879d81cbe5d3aff86c23d890cc826bc454063b0a7bdaea85fb26564f25af7458b22cdc093ee382e96db8d9e446760821031e94886539acf101463

Download Submit
C:\Users\Admin\AppData\Local\Temp\2326880575\backup.exe

Filesize
72KB

MD5
529474c90fc94ee67ac475f8f314b6bb

SHA1
f18be0b2e4b968c4a7fbf7edcf53c3cc3c804d96

SHA256
efdba535499949a8f77fcce8366f11f6dff7c84d2e1ea3e88a373b36f9941b1e

SHA512
446f81f28ed879d81cbe5d3aff86c23d890cc826bc454063b0a7bdaea85fb26564f25af7458b22cdc093ee382e96db8d9e446760821031e94886539acf101463

Download Submit
C:\Users\Admin\AppData\Local\Temp\2326880575\backup.exe

Filesize
72KB

MD5
529474c90fc94ee67ac475f8f314b6bb

SHA1
f18be0b2e4b968c4a7fbf7edcf53c3cc3c804d96

SHA256
efdba535499949a8f77fcce8366f11f6dff7c84d2e1ea3e88a373b36f9941b1e

SHA512
446f81f28ed879d81cbe5d3aff86c23d890cc826bc454063b0a7bdaea85fb26564f25af7458b22cdc093ee382e96db8d9e446760821031e94886539acf101463

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
3b8b539ea83e01b44662e9b0c3d81abb

SHA1
2c33b7412445e9ca087479e56afa0726f1b0451f

SHA256
447c62e5596581eb3ce6448e2436df57b0109d753019f47aa80814afaf87b3c4

SHA512
8fb1b30cf22d32230fc16a6573a6e10b19d87f0d77a53f81f85dd9050d1cd0d9f60e43764d906ec4661dafdcb6b948fb1a956b1e09c18af91fe3adb496306ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0e6ed9bed08253eb5aee542a3af60db2

SHA1
cb87d1000556d95116195eaf6e23c279ef06ddac

SHA256
238c8257db72c7e184a81159f9855c9164d843a61eabde6bda3585add3f16bc3

SHA512
c9b2c0b8cb3db070160249f587beaf317f5b111aaf5465e8980382c80a7ba4155ea97cd8cd49b051ff1ac56f2714067f302c1db976db9506dba3b2ae4760455a

Download Submit
C:\backup.exe

Filesize
72KB

MD5
0e6ed9bed08253eb5aee542a3af60db2

SHA1
cb87d1000556d95116195eaf6e23c279ef06ddac

SHA256
238c8257db72c7e184a81159f9855c9164d843a61eabde6bda3585add3f16bc3

SHA512
c9b2c0b8cb3db070160249f587beaf317f5b111aaf5465e8980382c80a7ba4155ea97cd8cd49b051ff1ac56f2714067f302c1db976db9506dba3b2ae4760455a

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1282eb10a42a98baf23df6c7b653583f

SHA1
87b349c2393dfa3c53cdc5f1f3c66ce93dbfe271

SHA256
3acd5fad8815e1f540452a9811c8ebd8663046f7fa53e6b4e14bf479e6075bf2

SHA512
deef693793b120db4c9ac26162675c9a4b547ec1b4f9a7aec2922098c8d94458ce83e3d70b6b6ccee7a757d8ad318edc637c57dcf0dadeb7a39d35c4882493dd

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
1282eb10a42a98baf23df6c7b653583f

SHA1
87b349c2393dfa3c53cdc5f1f3c66ce93dbfe271

SHA256
3acd5fad8815e1f540452a9811c8ebd8663046f7fa53e6b4e14bf479e6075bf2

SHA512
deef693793b120db4c9ac26162675c9a4b547ec1b4f9a7aec2922098c8d94458ce83e3d70b6b6ccee7a757d8ad318edc637c57dcf0dadeb7a39d35c4882493dd

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
07dd8691fdc9fea2d8ecf62e9503ff6f

SHA1
9cd0e4892e0413c1d663b8f56aef8381258755c9

SHA256
8d72250c6562c29e7c550305b853415fc47e804fc0e48f8b8058f0db1c886ec0

SHA512
6f16bf6650c2aeb8cf749f284855f0049a4723db874893c7f36e26afafb088702d22665eae78e035b2a7f2ee18ebb588ff46650c53b7bcfe284bf064741cdb9e

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
07dd8691fdc9fea2d8ecf62e9503ff6f

SHA1
9cd0e4892e0413c1d663b8f56aef8381258755c9

SHA256
8d72250c6562c29e7c550305b853415fc47e804fc0e48f8b8058f0db1c886ec0

SHA512
6f16bf6650c2aeb8cf749f284855f0049a4723db874893c7f36e26afafb088702d22665eae78e035b2a7f2ee18ebb588ff46650c53b7bcfe284bf064741cdb9e

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
07dd8691fdc9fea2d8ecf62e9503ff6f

SHA1
9cd0e4892e0413c1d663b8f56aef8381258755c9

SHA256
8d72250c6562c29e7c550305b853415fc47e804fc0e48f8b8058f0db1c886ec0

SHA512
6f16bf6650c2aeb8cf749f284855f0049a4723db874893c7f36e26afafb088702d22665eae78e035b2a7f2ee18ebb588ff46650c53b7bcfe284bf064741cdb9e

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
07dd8691fdc9fea2d8ecf62e9503ff6f

SHA1
9cd0e4892e0413c1d663b8f56aef8381258755c9

SHA256
8d72250c6562c29e7c550305b853415fc47e804fc0e48f8b8058f0db1c886ec0

SHA512
6f16bf6650c2aeb8cf749f284855f0049a4723db874893c7f36e26afafb088702d22665eae78e035b2a7f2ee18ebb588ff46650c53b7bcfe284bf064741cdb9e

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f25315266da84c4b93eb7f3795f227f7

SHA1
8130a882e00e476a0e037cdcccc5dd8fd744c247

SHA256
87baecbb6dfe5aa6ac6260e8223ccfef376ed3fb707b51cc7f29a3af6e65961d

SHA512
e94f6f7ac2f299c9edb1432e4757f54329255ecb32725d3feee113854af72c80f6496e6b6ff7d1b09f638ec6a723296a7b19b111aec47a5bd4a22d1a4dd34c88

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f25315266da84c4b93eb7f3795f227f7

SHA1
8130a882e00e476a0e037cdcccc5dd8fd744c247

SHA256
87baecbb6dfe5aa6ac6260e8223ccfef376ed3fb707b51cc7f29a3af6e65961d

SHA512
e94f6f7ac2f299c9edb1432e4757f54329255ecb32725d3feee113854af72c80f6496e6b6ff7d1b09f638ec6a723296a7b19b111aec47a5bd4a22d1a4dd34c88

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
f25315266da84c4b93eb7f3795f227f7

SHA1
8130a882e00e476a0e037cdcccc5dd8fd744c247

SHA256
87baecbb6dfe5aa6ac6260e8223ccfef376ed3fb707b51cc7f29a3af6e65961d

SHA512
e94f6f7ac2f299c9edb1432e4757f54329255ecb32725d3feee113854af72c80f6496e6b6ff7d1b09f638ec6a723296a7b19b111aec47a5bd4a22d1a4dd34c88

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\update.exe

Filesize
72KB

MD5
46a85138aa9cee14b55b290ba47a0341

SHA1
0a7f5189231a849046129df00a34760997f97bb0

SHA256
997d044ed77ffb83ee4f07abbc75739e478f9b067fc321e34f901ccc284f245f

SHA512
2292873d6b69b937b892c4eb2e2be5b8c1db1d644c12df3cda9d1c4bf770bac28ada718a2826cf454c2e05eb65655475f63677b7687c7af2e150cb84039c4958

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
920342342d6507b62142bdc94a281c87

SHA1
89725d6cd39e7cba7208e2c851594b37cde12b18

SHA256
57b4a1abb04276b8bea5f3f22a96f97cc02d6e45b59e9e012daca2c6f11a4c17

SHA512
ac492844543cf6bc4dfb7618d677c2c32a98da9283821c0818a0cebb5deff2720a45a747ee3a7b3fa61dd97ba37aec80de92fdbb1a31627903d15f3cd2b76abe

Download Submit
\Program Files\data.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
\Program Files\data.exe

Filesize
72KB

MD5
56668124c3179462ff188efcadc5e5ea

SHA1
223cf1d79614eb6b5d8e157ddc191abae09e42c5

SHA256
5fef4f299b8a427ec9427c97224c2ff5395a98bfcd223b42866cbacfaaf4c5e9

SHA512
55b934170d73d608a3260d72bd2a36ce11488fc6288db649524f3461ea9595409474878cdf46150b957d4af9e58fec71c645fbdfaedb5b20e07ab667bc936ef2

Download Submit
\Users\Admin\AppData\Local\Temp\2326880575\backup.exe

Filesize
72KB

MD5
529474c90fc94ee67ac475f8f314b6bb

SHA1
f18be0b2e4b968c4a7fbf7edcf53c3cc3c804d96

SHA256
efdba535499949a8f77fcce8366f11f6dff7c84d2e1ea3e88a373b36f9941b1e

SHA512
446f81f28ed879d81cbe5d3aff86c23d890cc826bc454063b0a7bdaea85fb26564f25af7458b22cdc093ee382e96db8d9e446760821031e94886539acf101463

Download Submit
\Users\Admin\AppData\Local\Temp\2326880575\backup.exe

Filesize
72KB

MD5
529474c90fc94ee67ac475f8f314b6bb

SHA1
f18be0b2e4b968c4a7fbf7edcf53c3cc3c804d96

SHA256
efdba535499949a8f77fcce8366f11f6dff7c84d2e1ea3e88a373b36f9941b1e

SHA512
446f81f28ed879d81cbe5d3aff86c23d890cc826bc454063b0a7bdaea85fb26564f25af7458b22cdc093ee382e96db8d9e446760821031e94886539acf101463

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
4e36cddbbe49a2bdcbce0f02abead18a

SHA1
faaea2e5e57275df9a4609b37a03740ad4e6589b

SHA256
c5fb5ab2ea6c81732a5dcc80093e32584986e6d03931621e5b39d1a9b826b0fd

SHA512
cd3df232a73772d99db0ad2d9ebad2d584cd3426a035032c1059103e54dca97f22d98e51f3230c92101c16fe9bfce5fb2b61f84ac8b68aee05c5d80a1ebea259

Download Submit
memory/2768-89-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads