1056ba7e437644ad7f5eafe06410608c140111d61a78977129aeba4db917f384

Analysis

max time kernel
23s
max time network
18s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a032449643dc4f5d56aa50f8349400b0.exe
Size

84KB
MD5

a032449643dc4f5d56aa50f8349400b0
SHA1

673acf984fe43f397dc9dd90f2e50db3bf25170a
SHA256

1056ba7e437644ad7f5eafe06410608c140111d61a78977129aeba4db917f384
SHA512

d3e9311f44c1ad8db7e827c8008777a23959e3fe227687f0b88a0adc12623556a48e8c2fbc587529c82c948f5712d39736e6c182c075d736513ec98464796dd6
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKmyLylze70wi3BEmB:BeT7BVwxfvEFwjRB

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 51 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 53 IoCs

pid	Process
2984	backup.exe
2720	backup.exe
2784	backup.exe
2532	backup.exe
2116	backup.exe
2980	backup.exe
1792	backup.exe
1252	backup.exe
1508	backup.exe
1420	backup.exe
796	System Restore.exe
1960	backup.exe
1696	backup.exe
1976	backup.exe
2148	backup.exe
2352	backup.exe
2244	backup.exe
2376	backup.exe
1984	backup.exe
2976	update.exe
1556	backup.exe
692	backup.exe
808	backup.exe
1668	backup.exe
1032	backup.exe
2576	backup.exe
2464	System Restore.exe
2460	backup.exe
2452	backup.exe
1736	backup.exe
1588	backup.exe
2960	backup.exe
2704	backup.exe
2600	backup.exe
2628	backup.exe
1876	backup.exe
2496	backup.exe
1712	backup.exe
3064	data.exe
580	backup.exe
1084	backup.exe
1552	backup.exe
1692	backup.exe
2680	backup.exe
1948	backup.exe
1816	backup.exe
292	backup.exe
2784	backup.exe
2168	backup.exe
1304	backup.exe
2356	backup.exe
2280	backup.exe
3040	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2532	backup.exe
2116	backup.exe
2116	backup.exe
2980	backup.exe
2980	backup.exe
2116	backup.exe
2116	backup.exe
1252	backup.exe
1252	backup.exe
1508	backup.exe
1508	backup.exe
1252	backup.exe
1252	backup.exe
796	System Restore.exe
796	System Restore.exe
1960	backup.exe
1960	backup.exe
1960	backup.exe
1960	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2976	update.exe
2976	update.exe
2976	update.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1976	backup.exe
1736	backup.exe
1736	backup.exe
2116	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0010000000015f2c-5.dat	upx
behavioral1/files/0x0010000000015f2c-7.dat	upx
behavioral1/files/0x0010000000015f2c-9.dat	upx
behavioral1/files/0x0010000000015f2c-12.dat	upx
behavioral1/memory/2984-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016471-23.dat	upx
behavioral1/files/0x0008000000016471-19.dat	upx
behavioral1/files/0x0008000000016471-17.dat	upx
behavioral1/memory/2720-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001681a-28.dat	upx
behavioral1/files/0x000700000001681a-30.dat	upx
behavioral1/memory/2808-35-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001681a-34.dat	upx
behavioral1/files/0x0008000000016669-39.dat	upx
behavioral1/files/0x0008000000016669-45.dat	upx
behavioral1/files/0x0008000000016669-41.dat	upx
behavioral1/files/0x0010000000015f2c-46.dat	upx
behavioral1/memory/2984-51-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016b93-55.dat	upx
behavioral1/files/0x0007000000016b93-60.dat	upx
behavioral1/files/0x0008000000016669-58.dat	upx
behavioral1/files/0x0007000000016cf0-61.dat	upx
behavioral1/files/0x0006000000016cfc-63.dat	upx
behavioral1/files/0x0006000000016cfc-65.dat	upx
behavioral1/memory/2784-70-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016cfc-69.dat	upx
behavioral1/files/0x0006000000016cfc-73.dat	upx
behavioral1/files/0x0006000000016d1d-75.dat	upx
behavioral1/files/0x0006000000016d1d-77.dat	upx
behavioral1/files/0x0006000000016d1d-83.dat	upx
behavioral1/memory/2532-84-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2980-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1792-88-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-90.dat	upx
behavioral1/files/0x0006000000016d3e-92.dat	upx
behavioral1/files/0x0006000000016d3e-97.dat	upx
behavioral1/memory/2116-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-101.dat	upx
behavioral1/files/0x0007000000016d2e-103.dat	upx
behavioral1/files/0x0007000000016d2e-109.dat	upx
behavioral1/files/0x0007000000016d2e-105.dat	upx
behavioral1/files/0x0007000000016d2e-113.dat	upx
behavioral1/files/0x0006000000016d63-115.dat	upx
behavioral1/files/0x0006000000016d63-117.dat	upx
behavioral1/files/0x0006000000016d63-121.dat	upx
behavioral1/files/0x0006000000016d76-129.dat	upx
behavioral1/memory/1420-126-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d76-127.dat	upx
behavioral1/memory/1508-125-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d76-133.dat	upx
behavioral1/files/0x0006000000016d76-136.dat	upx
behavioral1/files/0x0007000000016d6e-138.dat	upx
behavioral1/files/0x0007000000016d6e-140.dat	upx
behavioral1/memory/1252-144-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016d6e-145.dat	upx
behavioral1/memory/2784-148-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016d6e-149.dat	upx
behavioral1/files/0x0006000000016d82-151.dat	upx
behavioral1/files/0x0006000000016d82-154.dat	upx
behavioral1/memory/1252-153-0x00000000003B0000-0x00000000003CC000-memory.dmp	upx
behavioral1/files/0x0006000000016d82-158.dat	upx
behavioral1/memory/1696-162-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d97-163.dat	upx

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	System Restore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe
2984	backup.exe
2720	backup.exe
2784	backup.exe
2532	backup.exe
2116	backup.exe
2980	backup.exe
1792	backup.exe
1252	backup.exe
1508	backup.exe
1420	backup.exe
796	System Restore.exe
1960	backup.exe
1696	backup.exe
1976	backup.exe
2148	backup.exe
2352	backup.exe
2244	backup.exe
2376	backup.exe
1984	backup.exe
1556	backup.exe
692	backup.exe
2976	update.exe
808	backup.exe
1668	backup.exe
1032	backup.exe
2576	backup.exe
2464	System Restore.exe
2460	backup.exe
2452	backup.exe
1736	backup.exe
1588	backup.exe
2960	backup.exe
2704	backup.exe
2600	backup.exe
2628	backup.exe
1876	backup.exe
2496	backup.exe
1712	backup.exe
3064	data.exe
1084	backup.exe
1692	backup.exe
1552	backup.exe
2680	backup.exe
1948	backup.exe
580	backup.exe
1816	backup.exe
292	backup.exe
2784	backup.exe
2168	backup.exe
2356	backup.exe
1304	backup.exe
2280	backup.exe
3040	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2984	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	28
PID 2808 wrote to memory of 2720	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	29
PID 2808 wrote to memory of 2720	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	29
PID 2808 wrote to memory of 2720	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	29
PID 2808 wrote to memory of 2720	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	29
PID 2808 wrote to memory of 2784	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	30
PID 2808 wrote to memory of 2784	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	30
PID 2808 wrote to memory of 2784	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	30
PID 2808 wrote to memory of 2784	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	30
PID 2808 wrote to memory of 2532	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	31
PID 2808 wrote to memory of 2532	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	31
PID 2808 wrote to memory of 2532	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	31
PID 2808 wrote to memory of 2532	2808	NEAS.a032449643dc4f5d56aa50f8349400b0.exe	31
PID 2984 wrote to memory of 2116	2984	backup.exe	32
PID 2984 wrote to memory of 2116	2984	backup.exe	32
PID 2984 wrote to memory of 2116	2984	backup.exe	32
PID 2984 wrote to memory of 2116	2984	backup.exe	32
PID 2116 wrote to memory of 2980	2116	backup.exe	34
PID 2116 wrote to memory of 2980	2116	backup.exe	34
PID 2116 wrote to memory of 2980	2116	backup.exe	34
PID 2116 wrote to memory of 2980	2116	backup.exe	34
PID 2980 wrote to memory of 1792	2980	backup.exe	35
PID 2980 wrote to memory of 1792	2980	backup.exe	35
PID 2980 wrote to memory of 1792	2980	backup.exe	35
PID 2980 wrote to memory of 1792	2980	backup.exe	35
PID 2116 wrote to memory of 1252	2116	backup.exe	36
PID 2116 wrote to memory of 1252	2116	backup.exe	36
PID 2116 wrote to memory of 1252	2116	backup.exe	36
PID 2116 wrote to memory of 1252	2116	backup.exe	36
PID 1252 wrote to memory of 1508	1252	backup.exe	37
PID 1252 wrote to memory of 1508	1252	backup.exe	37
PID 1252 wrote to memory of 1508	1252	backup.exe	37
PID 1252 wrote to memory of 1508	1252	backup.exe	37
PID 1508 wrote to memory of 1420	1508	backup.exe	38
PID 1508 wrote to memory of 1420	1508	backup.exe	38
PID 1508 wrote to memory of 1420	1508	backup.exe	38
PID 1508 wrote to memory of 1420	1508	backup.exe	38
PID 1252 wrote to memory of 796	1252	backup.exe	39
PID 1252 wrote to memory of 796	1252	backup.exe	39
PID 1252 wrote to memory of 796	1252	backup.exe	39
PID 1252 wrote to memory of 796	1252	backup.exe	39
PID 796 wrote to memory of 1960	796	System Restore.exe	40
PID 796 wrote to memory of 1960	796	System Restore.exe	40
PID 796 wrote to memory of 1960	796	System Restore.exe	40
PID 796 wrote to memory of 1960	796	System Restore.exe	40
PID 1960 wrote to memory of 1696	1960	backup.exe	41
PID 1960 wrote to memory of 1696	1960	backup.exe	41
PID 1960 wrote to memory of 1696	1960	backup.exe	41
PID 1960 wrote to memory of 1696	1960	backup.exe	41
PID 1960 wrote to memory of 1976	1960	backup.exe	42
PID 1960 wrote to memory of 1976	1960	backup.exe	42
PID 1960 wrote to memory of 1976	1960	backup.exe	42
PID 1960 wrote to memory of 1976	1960	backup.exe	42
PID 1976 wrote to memory of 2148	1976	backup.exe	43
PID 1976 wrote to memory of 2148	1976	backup.exe	43
PID 1976 wrote to memory of 2148	1976	backup.exe	43
PID 1976 wrote to memory of 2148	1976	backup.exe	43
PID 1976 wrote to memory of 2352	1976	backup.exe	44
PID 1976 wrote to memory of 2352	1976	backup.exe	44
PID 1976 wrote to memory of 2352	1976	backup.exe	44
PID 1976 wrote to memory of 2352	1976	backup.exe	44

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.a032449643dc4f5d56aa50f8349400b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a032449643dc4f5d56aa50f8349400b0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\1233713008\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1233713008\backup.exe C:\Users\Admin\AppData\Local\Temp\1233713008\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2984
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2116
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2980
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1792
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1508
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1420
    - - C:\Program Files\Common Files\System Restore.exe
        
        "C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:796
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2148
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2352
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2376
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2452
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2600
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1948
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2680
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2784
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2356
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1876
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1304
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2496
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:292
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2960
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2704
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3064
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1816
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2280
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe
  C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\
    3⤵
    PID:2900
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:692
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:808
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
4fdee6835dd0cd7f960c2633de8edd26

SHA1
e9fae9a12a1dc785aee0f98f5d8bc257476ebe88

SHA256
9098a534c09bb867c581ca8d36177ed2c18898aeec3ec8ad53a82a63691b1eda

SHA512
cfdacc06cb8cd5a671512de8fa83260f39ce61b5e1ec867e2bfe31ea13a1dffa8f0fc8c13a6a49b7c42adeb23c505232b812dc308fdb33f44f736995133fac8d

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
65423f85219e47b512c16d08de74949b

SHA1
85d1375f102dd644838c273feea8d3ee4d3e1925

SHA256
ca07d4f0d700d501a7193db56398ab633a2f73d8ec51ebabd795e5cb1e01b353

SHA512
cafcf03a08083b3146d47250ef582327180f46af5eaab8b6fa3a9a9ab9b63fc6b466fcc243178a9a1740c6be7cd3aa9ad03b81721248cfdd1851334e638195dd

Download Submit
C:\PerfLogs\backup.exe

Filesize
84KB

MD5
65423f85219e47b512c16d08de74949b

SHA1
85d1375f102dd644838c273feea8d3ee4d3e1925

SHA256
ca07d4f0d700d501a7193db56398ab633a2f73d8ec51ebabd795e5cb1e01b353

SHA512
cafcf03a08083b3146d47250ef582327180f46af5eaab8b6fa3a9a9ab9b63fc6b466fcc243178a9a1740c6be7cd3aa9ad03b81721248cfdd1851334e638195dd

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
7447c597b51a8b8cd49e5d7be80b3fbe

SHA1
7fcce4f39768df5cafb640873161775f31fbd347

SHA256
2944bb20f81bae71c2e4704159968c42af515162f06ea21bc7951c38da2ea9f4

SHA512
a3c6f1782ab497ec3ad117f30357b0d611fa336a26c6508fe7859be2586fe73595d723148894cec3e9f0630477fa9e3a32c48709bbee726bab8d2593a5ba1b97

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
de53e5ab2240877a51b9714fe6a82961

SHA1
432cd6e7bd34135e245d8ac12d76c36895ba6f83

SHA256
94cf19930dda0e36ccccb845a2fe6b466ae4950f224b071ae9e31ba943771177

SHA512
ed9280004f6b51ed1da1a60b467d7f793449f2c0f481ae168e2995da1c79efbda1438b291e09adbea0d145790cf3ff88a3c86f1ef687b8130fd8050984ac0508

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
299435f43a09198583b2f5de4c74e580

SHA1
3c34f3b7c76d8831ec69385f0a4cb48abe1b10ae

SHA256
95a740363f310505ce335225b7f123e789340aba2b15c3e37fdf52f4f219728b

SHA512
9508efbd7a184f1717d81b2ad00011982b1568f41966d2da27a721acf65e4e63396f80f06d74a567d4bb51c5fb16bca891ffc7e1a6f6fa5ec9a9e1367a77954d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
299435f43a09198583b2f5de4c74e580

SHA1
3c34f3b7c76d8831ec69385f0a4cb48abe1b10ae

SHA256
95a740363f310505ce335225b7f123e789340aba2b15c3e37fdf52f4f219728b

SHA512
9508efbd7a184f1717d81b2ad00011982b1568f41966d2da27a721acf65e4e63396f80f06d74a567d4bb51c5fb16bca891ffc7e1a6f6fa5ec9a9e1367a77954d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
a82f38059e95b61b8f5c77c5e467d2a5

SHA1
26594a3a653e7f29d1e061f394e8765c66531c61

SHA256
daa46af029402b334373506298e6024e0416cf915a1369a409d7fe1953174926

SHA512
5e4e33c9bb71a11d352d40bd77a07d165fc084c73e81d54cf51d5b8acaf633b666b661af8ee1eb5c6c13a095b6b0ec30d83926d118e1034441d597ce5c006af4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
de53e5ab2240877a51b9714fe6a82961

SHA1
432cd6e7bd34135e245d8ac12d76c36895ba6f83

SHA256
94cf19930dda0e36ccccb845a2fe6b466ae4950f224b071ae9e31ba943771177

SHA512
ed9280004f6b51ed1da1a60b467d7f793449f2c0f481ae168e2995da1c79efbda1438b291e09adbea0d145790cf3ff88a3c86f1ef687b8130fd8050984ac0508

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
de53e5ab2240877a51b9714fe6a82961

SHA1
432cd6e7bd34135e245d8ac12d76c36895ba6f83

SHA256
94cf19930dda0e36ccccb845a2fe6b466ae4950f224b071ae9e31ba943771177

SHA512
ed9280004f6b51ed1da1a60b467d7f793449f2c0f481ae168e2995da1c79efbda1438b291e09adbea0d145790cf3ff88a3c86f1ef687b8130fd8050984ac0508

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
a82f38059e95b61b8f5c77c5e467d2a5

SHA1
26594a3a653e7f29d1e061f394e8765c66531c61

SHA256
daa46af029402b334373506298e6024e0416cf915a1369a409d7fe1953174926

SHA512
5e4e33c9bb71a11d352d40bd77a07d165fc084c73e81d54cf51d5b8acaf633b666b661af8ee1eb5c6c13a095b6b0ec30d83926d118e1034441d597ce5c006af4

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
115414acc784d0fb5a792e2a21f1443d

SHA1
09479f53c7808e88abda51f7035cfda97ee44a41

SHA256
860333280ec07c463b0278787108a2c152149fc951eab5e831aca23ed9172b98

SHA512
200f4cb0927eff287954e5978a8f7d8ecead9623382fdf38956d409fe176fc2cee045e7fd9262e5f9cb13ec91d0b6979fbe51eeef443680369cb90b90df756a7

Download Submit
C:\Program Files\backup.exe

Filesize
84KB

MD5
115414acc784d0fb5a792e2a21f1443d

SHA1
09479f53c7808e88abda51f7035cfda97ee44a41

SHA256
860333280ec07c463b0278787108a2c152149fc951eab5e831aca23ed9172b98

SHA512
200f4cb0927eff287954e5978a8f7d8ecead9623382fdf38956d409fe176fc2cee045e7fd9262e5f9cb13ec91d0b6979fbe51eeef443680369cb90b90df756a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1233713008\backup.exe

Filesize
84KB

MD5
fdc00360fff93874b9f9d3539b7384ec

SHA1
8330ef0102be1f386adc7caa636a0408579037eb

SHA256
aebeaef8ce9381d3de40d9961c82b64de57aaaaf3b353d095a88fc2521927df7

SHA512
12f3efb6e2468ed8b66148a4959c61ef4275b7b006140e7716c0f2029914915cc6c6e82c456210f18fefe4c634e1d36c2922a43483b15406c7abdc1d3479cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1233713008\backup.exe

Filesize
84KB

MD5
fdc00360fff93874b9f9d3539b7384ec

SHA1
8330ef0102be1f386adc7caa636a0408579037eb

SHA256
aebeaef8ce9381d3de40d9961c82b64de57aaaaf3b353d095a88fc2521927df7

SHA512
12f3efb6e2468ed8b66148a4959c61ef4275b7b006140e7716c0f2029914915cc6c6e82c456210f18fefe4c634e1d36c2922a43483b15406c7abdc1d3479cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1233713008\backup.exe

Filesize
84KB

MD5
fdc00360fff93874b9f9d3539b7384ec

SHA1
8330ef0102be1f386adc7caa636a0408579037eb

SHA256
aebeaef8ce9381d3de40d9961c82b64de57aaaaf3b353d095a88fc2521927df7

SHA512
12f3efb6e2468ed8b66148a4959c61ef4275b7b006140e7716c0f2029914915cc6c6e82c456210f18fefe4c634e1d36c2922a43483b15406c7abdc1d3479cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
f821b7a29f9cbc1d3c2b49f2f63027f9

SHA1
233f15bc29cedae3dc7abd5c6941ee8571062248

SHA256
ca94c49f5e2b3293ee6396af3c8e20564a053989e5c1dc1d3fc8189e538c5aba

SHA512
b2ab67448a41091889f0366a52fcbc0980fa0abf848e01904dd6e782115c02c095dc04951a0f70044ab06edc77a554b1a3a91fd3999088ec0cb244c23c7c0594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
f821b7a29f9cbc1d3c2b49f2f63027f9

SHA1
233f15bc29cedae3dc7abd5c6941ee8571062248

SHA256
ca94c49f5e2b3293ee6396af3c8e20564a053989e5c1dc1d3fc8189e538c5aba

SHA512
b2ab67448a41091889f0366a52fcbc0980fa0abf848e01904dd6e782115c02c095dc04951a0f70044ab06edc77a554b1a3a91fd3999088ec0cb244c23c7c0594

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
6f228297052bbedb43679f91ff250f21

SHA1
442a9f88d81b0872d58d8440a8a9a8c3a25bd50c

SHA256
18c257f0df459de4bc204b2924f0944b88815f6cf5c4ad9486ee10d41cb78ca4

SHA512
0be800fdda752df86f6bb371befe5e33c5991a3b817c94dc6a29df4046d53af4a530ad2ea8640ddb95104dc80194d1f9f848cd2573506cecc3b61d5d9799886e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
6f228297052bbedb43679f91ff250f21

SHA1
442a9f88d81b0872d58d8440a8a9a8c3a25bd50c

SHA256
18c257f0df459de4bc204b2924f0944b88815f6cf5c4ad9486ee10d41cb78ca4

SHA512
0be800fdda752df86f6bb371befe5e33c5991a3b817c94dc6a29df4046d53af4a530ad2ea8640ddb95104dc80194d1f9f848cd2573506cecc3b61d5d9799886e

Download Submit
C:\backup.exe

Filesize
84KB

MD5
6e1b4f4fec7d2e9148bd44fc42aba65f

SHA1
d03006aa14556a2b00fc339f2e2ffba6074615fe

SHA256
5f14a7002113648ce330b15be46f9040e4e856ca071a6034984e898aa2b39fd5

SHA512
e9b53acaed4495859f2f591114b91a8c74bad871d7e57756070562896bb7330e26f06d8f7d8e3d0816375562eed8a6abe1975b0d1f5c7258ac160ed1d27e0b86

Download Submit
C:\backup.exe

Filesize
84KB

MD5
6e1b4f4fec7d2e9148bd44fc42aba65f

SHA1
d03006aa14556a2b00fc339f2e2ffba6074615fe

SHA256
5f14a7002113648ce330b15be46f9040e4e856ca071a6034984e898aa2b39fd5

SHA512
e9b53acaed4495859f2f591114b91a8c74bad871d7e57756070562896bb7330e26f06d8f7d8e3d0816375562eed8a6abe1975b0d1f5c7258ac160ed1d27e0b86

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
4fdee6835dd0cd7f960c2633de8edd26

SHA1
e9fae9a12a1dc785aee0f98f5d8bc257476ebe88

SHA256
9098a534c09bb867c581ca8d36177ed2c18898aeec3ec8ad53a82a63691b1eda

SHA512
cfdacc06cb8cd5a671512de8fa83260f39ce61b5e1ec867e2bfe31ea13a1dffa8f0fc8c13a6a49b7c42adeb23c505232b812dc308fdb33f44f736995133fac8d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
84KB

MD5
4fdee6835dd0cd7f960c2633de8edd26

SHA1
e9fae9a12a1dc785aee0f98f5d8bc257476ebe88

SHA256
9098a534c09bb867c581ca8d36177ed2c18898aeec3ec8ad53a82a63691b1eda

SHA512
cfdacc06cb8cd5a671512de8fa83260f39ce61b5e1ec867e2bfe31ea13a1dffa8f0fc8c13a6a49b7c42adeb23c505232b812dc308fdb33f44f736995133fac8d

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
65423f85219e47b512c16d08de74949b

SHA1
85d1375f102dd644838c273feea8d3ee4d3e1925

SHA256
ca07d4f0d700d501a7193db56398ab633a2f73d8ec51ebabd795e5cb1e01b353

SHA512
cafcf03a08083b3146d47250ef582327180f46af5eaab8b6fa3a9a9ab9b63fc6b466fcc243178a9a1740c6be7cd3aa9ad03b81721248cfdd1851334e638195dd

Download Submit
\PerfLogs\backup.exe

Filesize
84KB

MD5
65423f85219e47b512c16d08de74949b

SHA1
85d1375f102dd644838c273feea8d3ee4d3e1925

SHA256
ca07d4f0d700d501a7193db56398ab633a2f73d8ec51ebabd795e5cb1e01b353

SHA512
cafcf03a08083b3146d47250ef582327180f46af5eaab8b6fa3a9a9ab9b63fc6b466fcc243178a9a1740c6be7cd3aa9ad03b81721248cfdd1851334e638195dd

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
7447c597b51a8b8cd49e5d7be80b3fbe

SHA1
7fcce4f39768df5cafb640873161775f31fbd347

SHA256
2944bb20f81bae71c2e4704159968c42af515162f06ea21bc7951c38da2ea9f4

SHA512
a3c6f1782ab497ec3ad117f30357b0d611fa336a26c6508fe7859be2586fe73595d723148894cec3e9f0630477fa9e3a32c48709bbee726bab8d2593a5ba1b97

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
84KB

MD5
7447c597b51a8b8cd49e5d7be80b3fbe

SHA1
7fcce4f39768df5cafb640873161775f31fbd347

SHA256
2944bb20f81bae71c2e4704159968c42af515162f06ea21bc7951c38da2ea9f4

SHA512
a3c6f1782ab497ec3ad117f30357b0d611fa336a26c6508fe7859be2586fe73595d723148894cec3e9f0630477fa9e3a32c48709bbee726bab8d2593a5ba1b97

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
de53e5ab2240877a51b9714fe6a82961

SHA1
432cd6e7bd34135e245d8ac12d76c36895ba6f83

SHA256
94cf19930dda0e36ccccb845a2fe6b466ae4950f224b071ae9e31ba943771177

SHA512
ed9280004f6b51ed1da1a60b467d7f793449f2c0f481ae168e2995da1c79efbda1438b291e09adbea0d145790cf3ff88a3c86f1ef687b8130fd8050984ac0508

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
84KB

MD5
de53e5ab2240877a51b9714fe6a82961

SHA1
432cd6e7bd34135e245d8ac12d76c36895ba6f83

SHA256
94cf19930dda0e36ccccb845a2fe6b466ae4950f224b071ae9e31ba943771177

SHA512
ed9280004f6b51ed1da1a60b467d7f793449f2c0f481ae168e2995da1c79efbda1438b291e09adbea0d145790cf3ff88a3c86f1ef687b8130fd8050984ac0508

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
299435f43a09198583b2f5de4c74e580

SHA1
3c34f3b7c76d8831ec69385f0a4cb48abe1b10ae

SHA256
95a740363f310505ce335225b7f123e789340aba2b15c3e37fdf52f4f219728b

SHA512
9508efbd7a184f1717d81b2ad00011982b1568f41966d2da27a721acf65e4e63396f80f06d74a567d4bb51c5fb16bca891ffc7e1a6f6fa5ec9a9e1367a77954d

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
84KB

MD5
299435f43a09198583b2f5de4c74e580

SHA1
3c34f3b7c76d8831ec69385f0a4cb48abe1b10ae

SHA256
95a740363f310505ce335225b7f123e789340aba2b15c3e37fdf52f4f219728b

SHA512
9508efbd7a184f1717d81b2ad00011982b1568f41966d2da27a721acf65e4e63396f80f06d74a567d4bb51c5fb16bca891ffc7e1a6f6fa5ec9a9e1367a77954d

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
a82f38059e95b61b8f5c77c5e467d2a5

SHA1
26594a3a653e7f29d1e061f394e8765c66531c61

SHA256
daa46af029402b334373506298e6024e0416cf915a1369a409d7fe1953174926

SHA512
5e4e33c9bb71a11d352d40bd77a07d165fc084c73e81d54cf51d5b8acaf633b666b661af8ee1eb5c6c13a095b6b0ec30d83926d118e1034441d597ce5c006af4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
84KB

MD5
a82f38059e95b61b8f5c77c5e467d2a5

SHA1
26594a3a653e7f29d1e061f394e8765c66531c61

SHA256
daa46af029402b334373506298e6024e0416cf915a1369a409d7fe1953174926

SHA512
5e4e33c9bb71a11d352d40bd77a07d165fc084c73e81d54cf51d5b8acaf633b666b661af8ee1eb5c6c13a095b6b0ec30d83926d118e1034441d597ce5c006af4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
de53e5ab2240877a51b9714fe6a82961

SHA1
432cd6e7bd34135e245d8ac12d76c36895ba6f83

SHA256
94cf19930dda0e36ccccb845a2fe6b466ae4950f224b071ae9e31ba943771177

SHA512
ed9280004f6b51ed1da1a60b467d7f793449f2c0f481ae168e2995da1c79efbda1438b291e09adbea0d145790cf3ff88a3c86f1ef687b8130fd8050984ac0508

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
84KB

MD5
de53e5ab2240877a51b9714fe6a82961

SHA1
432cd6e7bd34135e245d8ac12d76c36895ba6f83

SHA256
94cf19930dda0e36ccccb845a2fe6b466ae4950f224b071ae9e31ba943771177

SHA512
ed9280004f6b51ed1da1a60b467d7f793449f2c0f481ae168e2995da1c79efbda1438b291e09adbea0d145790cf3ff88a3c86f1ef687b8130fd8050984ac0508

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
a82f38059e95b61b8f5c77c5e467d2a5

SHA1
26594a3a653e7f29d1e061f394e8765c66531c61

SHA256
daa46af029402b334373506298e6024e0416cf915a1369a409d7fe1953174926

SHA512
5e4e33c9bb71a11d352d40bd77a07d165fc084c73e81d54cf51d5b8acaf633b666b661af8ee1eb5c6c13a095b6b0ec30d83926d118e1034441d597ce5c006af4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
84KB

MD5
a82f38059e95b61b8f5c77c5e467d2a5

SHA1
26594a3a653e7f29d1e061f394e8765c66531c61

SHA256
daa46af029402b334373506298e6024e0416cf915a1369a409d7fe1953174926

SHA512
5e4e33c9bb71a11d352d40bd77a07d165fc084c73e81d54cf51d5b8acaf633b666b661af8ee1eb5c6c13a095b6b0ec30d83926d118e1034441d597ce5c006af4

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe

Filesize
84KB

MD5
4a3695c57f41e83c753b4e9254c49b7c

SHA1
e77182782a273617eb40563b76025ca999690c5d

SHA256
a86b9aa154b888789d0446c84ab02cb9b80341ac2c34e7d6cd338bf287e85287

SHA512
084e44e045281b5b98dba528eb77ab4a701dcf39e1c1c933235e18c5759eac744aed06fa3a3d72c56a78996bea7e84d0759e19a6346d496ee312bab5eb252ba9

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
\Program Files\Common Files\System Restore.exe

Filesize
84KB

MD5
c8c491a2d2ecf090bc7df6cd2e6a90c7

SHA1
48ccf2410f8a67326921172cf48238ee26009bc9

SHA256
a9971580d69c05aa2bc3aa1213fe7eab7f27aeab7f2bacc343a71309c51383fe

SHA512
76333129420caab3cf2fdd65bc86c395ac767db323584166a2d1ae5ec16190d10fe1d541451e6096c9634a88fc7e7ef77ec07558df7b1d5386351a3844f7d8a5

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
115414acc784d0fb5a792e2a21f1443d

SHA1
09479f53c7808e88abda51f7035cfda97ee44a41

SHA256
860333280ec07c463b0278787108a2c152149fc951eab5e831aca23ed9172b98

SHA512
200f4cb0927eff287954e5978a8f7d8ecead9623382fdf38956d409fe176fc2cee045e7fd9262e5f9cb13ec91d0b6979fbe51eeef443680369cb90b90df756a7

Download Submit
\Program Files\backup.exe

Filesize
84KB

MD5
115414acc784d0fb5a792e2a21f1443d

SHA1
09479f53c7808e88abda51f7035cfda97ee44a41

SHA256
860333280ec07c463b0278787108a2c152149fc951eab5e831aca23ed9172b98

SHA512
200f4cb0927eff287954e5978a8f7d8ecead9623382fdf38956d409fe176fc2cee045e7fd9262e5f9cb13ec91d0b6979fbe51eeef443680369cb90b90df756a7

Download Submit
\Users\Admin\AppData\Local\Temp\1233713008\backup.exe

Filesize
84KB

MD5
fdc00360fff93874b9f9d3539b7384ec

SHA1
8330ef0102be1f386adc7caa636a0408579037eb

SHA256
aebeaef8ce9381d3de40d9961c82b64de57aaaaf3b353d095a88fc2521927df7

SHA512
12f3efb6e2468ed8b66148a4959c61ef4275b7b006140e7716c0f2029914915cc6c6e82c456210f18fefe4c634e1d36c2922a43483b15406c7abdc1d3479cbf3

Download Submit
\Users\Admin\AppData\Local\Temp\1233713008\backup.exe

Filesize
84KB

MD5
fdc00360fff93874b9f9d3539b7384ec

SHA1
8330ef0102be1f386adc7caa636a0408579037eb

SHA256
aebeaef8ce9381d3de40d9961c82b64de57aaaaf3b353d095a88fc2521927df7

SHA512
12f3efb6e2468ed8b66148a4959c61ef4275b7b006140e7716c0f2029914915cc6c6e82c456210f18fefe4c634e1d36c2922a43483b15406c7abdc1d3479cbf3

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
f821b7a29f9cbc1d3c2b49f2f63027f9

SHA1
233f15bc29cedae3dc7abd5c6941ee8571062248

SHA256
ca94c49f5e2b3293ee6396af3c8e20564a053989e5c1dc1d3fc8189e538c5aba

SHA512
b2ab67448a41091889f0366a52fcbc0980fa0abf848e01904dd6e782115c02c095dc04951a0f70044ab06edc77a554b1a3a91fd3999088ec0cb244c23c7c0594

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
84KB

MD5
f821b7a29f9cbc1d3c2b49f2f63027f9

SHA1
233f15bc29cedae3dc7abd5c6941ee8571062248

SHA256
ca94c49f5e2b3293ee6396af3c8e20564a053989e5c1dc1d3fc8189e538c5aba

SHA512
b2ab67448a41091889f0366a52fcbc0980fa0abf848e01904dd6e782115c02c095dc04951a0f70044ab06edc77a554b1a3a91fd3999088ec0cb244c23c7c0594

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
f821b7a29f9cbc1d3c2b49f2f63027f9

SHA1
233f15bc29cedae3dc7abd5c6941ee8571062248

SHA256
ca94c49f5e2b3293ee6396af3c8e20564a053989e5c1dc1d3fc8189e538c5aba

SHA512
b2ab67448a41091889f0366a52fcbc0980fa0abf848e01904dd6e782115c02c095dc04951a0f70044ab06edc77a554b1a3a91fd3999088ec0cb244c23c7c0594

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
84KB

MD5
f821b7a29f9cbc1d3c2b49f2f63027f9

SHA1
233f15bc29cedae3dc7abd5c6941ee8571062248

SHA256
ca94c49f5e2b3293ee6396af3c8e20564a053989e5c1dc1d3fc8189e538c5aba

SHA512
b2ab67448a41091889f0366a52fcbc0980fa0abf848e01904dd6e782115c02c095dc04951a0f70044ab06edc77a554b1a3a91fd3999088ec0cb244c23c7c0594

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
6f228297052bbedb43679f91ff250f21

SHA1
442a9f88d81b0872d58d8440a8a9a8c3a25bd50c

SHA256
18c257f0df459de4bc204b2924f0944b88815f6cf5c4ad9486ee10d41cb78ca4

SHA512
0be800fdda752df86f6bb371befe5e33c5991a3b817c94dc6a29df4046d53af4a530ad2ea8640ddb95104dc80194d1f9f848cd2573506cecc3b61d5d9799886e

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
84KB

MD5
6f228297052bbedb43679f91ff250f21

SHA1
442a9f88d81b0872d58d8440a8a9a8c3a25bd50c

SHA256
18c257f0df459de4bc204b2924f0944b88815f6cf5c4ad9486ee10d41cb78ca4

SHA512
0be800fdda752df86f6bb371befe5e33c5991a3b817c94dc6a29df4046d53af4a530ad2ea8640ddb95104dc80194d1f9f848cd2573506cecc3b61d5d9799886e

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
84KB

MD5
8e9ce0fccf25c128e7cdf1156dadd613

SHA1
05a10bb1b235a19bac7ad607a43966b773c841a4

SHA256
c6f95e2b32d456a36dd771dcc49688d735e1cad6f7c6442b479ec6f89f1933ac

SHA512
e04029e6bff191e121ca0b87c83b0e33cd7306e46dfaf7f1b40033a1659ebe7f500af1788a6070f38a4ee6efaad255d5f2a77499ad0e5214c233cc72260da5c3

Download Submit
memory/692-257-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/796-407-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/796-416-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/796-178-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/796-370-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/808-269-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1032-284-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-153-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1252-385-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1252-386-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1252-144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-171-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1252-110-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1420-126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1508-125-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1556-248-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1556-246-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1588-340-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1668-277-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-162-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1712-401-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1736-329-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1736-353-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1736-349-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1792-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1876-388-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1960-189-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1960-207-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1960-169-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1976-215-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1976-208-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1984-234-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2116-336-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2116-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2148-187-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2244-212-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2352-199-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2376-223-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2452-317-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2464-302-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2532-84-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2600-361-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2628-398-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2704-414-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/2704-372-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2720-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2784-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2784-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2808-11-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2808-80-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2808-253-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2808-242-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2808-35-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2808-243-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2808-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2960-371-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2976-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2976-258-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2980-81-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/2980-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-51-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-96-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/3064-413-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads