62e3d549cc4e902308195bbeca49585a6a899fcee8df6766eaacc37128ec9f04

Analysis

max time kernel
73s
max time network
17s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
Size

338KB
MD5

7a6075819eb3107c5005de18d7733f00
SHA1

8ab1e2eb6620d994f0f7daafe4e1896a802a265e
SHA256

62e3d549cc4e902308195bbeca49585a6a899fcee8df6766eaacc37128ec9f04
SHA512

98c0703037f2f5ece815b4e44e8a38c3d40f641f7c39ea9885ff6de49dac81bc7a97ffca4c8bcf7d234ee18ca2a1f586e37bd4c2d357bf6d7d72ac113f73f368
SSDEEP

3072:BmVwRKCrIYlW9dLKEl4MC0iFixWS1WC2P9/KvI:BmVn6O4Ep3s7BZD

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 48 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2984	update.exe
2720	backup.exe
2784	backup.exe
1876	backup.exe
2496	backup.exe
2980	backup.exe
756	backup.exe
1376	backup.exe
2880	data.exe
1856	backup.exe
1268	backup.exe
920	update.exe
1444	backup.exe
1996	backup.exe
2332	backup.exe
2844	backup.exe
620	backup.exe
1556	backup.exe
1004	backup.exe
2364	System Restore.exe
2560	backup.exe
2196	backup.exe
2304	backup.exe
2396	backup.exe
2460	backup.exe
2232	backup.exe
2772	backup.exe
1588	backup.exe
2636	backup.exe
2704	backup.exe
2600	backup.exe
2768	backup.exe
2216	backup.exe
2492	backup.exe
524	backup.exe
2896	backup.exe
1044	backup.exe
856	backup.exe
2248	backup.exe
1252	backup.exe
1692	backup.exe
2804	backup.exe
796	backup.exe
740	backup.exe
1624	backup.exe
1960	update.exe
1700	backup.exe
1896	backup.exe
744	backup.exe
2132	backup.exe
848	backup.exe
2148	data.exe
3004	backup.exe
2852	backup.exe
1984	backup.exe
2932	backup.exe
1980	backup.exe
832	backup.exe
1776	backup.exe
1756	backup.exe
1956	backup.exe
1576	backup.exe
2576	backup.exe
1764	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
2984	update.exe
2984	update.exe
2984	update.exe
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
1876	backup.exe
2496	backup.exe
2496	backup.exe
2980	backup.exe
2980	backup.exe
2980	backup.exe
2980	backup.exe
2980	backup.exe
756	backup.exe
756	backup.exe
756	backup.exe
2496	backup.exe
2496	backup.exe
1376	backup.exe
1376	backup.exe
1376	backup.exe
1376	backup.exe
1376	backup.exe
2880	data.exe
2880	data.exe
2880	data.exe
2880	data.exe
2880	data.exe
1856	backup.exe
1856	backup.exe
1856	backup.exe
1376	backup.exe
1376	backup.exe
1268	backup.exe
1268	backup.exe
1268	backup.exe
1268	backup.exe
920	update.exe
920	update.exe
920	update.exe
920	update.exe
920	update.exe
1444	backup.exe
1444	backup.exe
1444	backup.exe
920	update.exe
920	update.exe
1996	backup.exe
1996	backup.exe
1996	backup.exe
1996	backup.exe
1996	backup.exe
2332	backup.exe
2332	backup.exe
2332	backup.exe
1996	backup.exe
1996	backup.exe
2844	backup.exe
2844	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0038000000015ec7-5.dat	upx
behavioral1/files/0x0038000000015ec7-8.dat	upx
behavioral1/files/0x0038000000015ec7-9.dat	upx
behavioral1/files/0x0038000000015ec7-11.dat	upx
behavioral1/files/0x0038000000015ec7-10.dat	upx
behavioral1/files/0x0038000000015ec7-13.dat	upx
behavioral1/files/0x0008000000016471-17.dat	upx
behavioral1/files/0x0008000000016471-16.dat	upx
behavioral1/files/0x0008000000016471-23.dat	upx
behavioral1/files/0x0008000000016471-19.dat	upx
behavioral1/memory/2720-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001681a-28.dat	upx
behavioral1/memory/2808-34-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001681a-30.dat	upx
behavioral1/files/0x000700000001681a-35.dat	upx
behavioral1/memory/2784-37-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016669-41.dat	upx
behavioral1/files/0x0008000000016669-47.dat	upx
behavioral1/files/0x0008000000016669-43.dat	upx
behavioral1/memory/2984-48-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016669-52.dat	upx
behavioral1/files/0x0008000000016cac-59.dat	upx
behavioral1/files/0x0009000000016c76-60.dat	upx
behavioral1/files/0x0008000000016cac-61.dat	upx
behavioral1/memory/2496-63-0x0000000000020000-0x000000000003C000-memory.dmp	upx
behavioral1/files/0x0006000000016cfc-68.dat	upx
behavioral1/files/0x0006000000016cfc-71.dat	upx
behavioral1/files/0x0006000000016cfc-75.dat	upx
behavioral1/memory/2784-70-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016cfc-80.dat	upx
behavioral1/files/0x0006000000016cfc-79.dat	upx
behavioral1/files/0x0006000000016cfc-78.dat	upx
behavioral1/files/0x0006000000016cfc-77.dat	upx
behavioral1/files/0x0006000000016d1d-84.dat	upx
behavioral1/files/0x0006000000016d1d-92.dat	upx
behavioral1/files/0x0006000000016d1d-96.dat	upx
behavioral1/files/0x0006000000016d1d-95.dat	upx
behavioral1/files/0x0006000000016d1d-94.dat	upx
behavioral1/files/0x0006000000016d1d-93.dat	upx
behavioral1/memory/1876-91-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d1d-87.dat	upx
behavioral1/files/0x0006000000016d3e-100.dat	upx
behavioral1/files/0x0006000000016d3e-102.dat	upx
behavioral1/memory/2496-107-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-106.dat	upx
behavioral1/memory/756-112-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-111.dat	upx
behavioral1/files/0x0006000000016d3e-110.dat	upx
behavioral1/files/0x0006000000016d3e-109.dat	upx
behavioral1/files/0x0006000000016d3e-108.dat	upx
behavioral1/memory/2980-114-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016d2e-120.dat	upx
behavioral1/files/0x0007000000016d2e-131.dat	upx
behavioral1/files/0x0007000000016d2e-130.dat	upx
behavioral1/files/0x0007000000016d2e-129.dat	upx
behavioral1/files/0x0007000000016d2e-128.dat	upx
behavioral1/files/0x0007000000016d2e-126.dat	upx
behavioral1/files/0x0007000000016d2e-122.dat	upx
behavioral1/memory/2784-135-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016d63-137.dat	upx
behavioral1/files/0x0006000000016d63-139.dat	upx
behavioral1/files/0x0006000000016d63-148.dat	upx
behavioral1/files/0x0006000000016d63-147.dat	upx

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	update.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	update.exe
File opened for modification	C:\Program Files\7-Zip\data.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	data.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	update.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
2984	update.exe
2720	backup.exe
2784	backup.exe
1876	backup.exe
2496	backup.exe
2980	backup.exe
756	backup.exe
1376	backup.exe
2880	data.exe
1856	backup.exe
1268	backup.exe
920	update.exe
1444	backup.exe
1996	backup.exe
2332	backup.exe
2844	backup.exe
620	backup.exe
1556	backup.exe
1004	backup.exe
2364	System Restore.exe
2560	backup.exe
2196	backup.exe
2304	backup.exe
2396	backup.exe
2232	backup.exe
2460	backup.exe
2772	backup.exe
1588	backup.exe
2636	backup.exe
2704	backup.exe
2600	backup.exe
2768	backup.exe
2216	backup.exe
2492	backup.exe
524	backup.exe
1044	backup.exe
856	backup.exe
2248	backup.exe
1252	backup.exe
1692	backup.exe
1624	backup.exe
740	backup.exe
796	backup.exe
1960	update.exe
1700	backup.exe
1896	backup.exe
2132	backup.exe
3004	backup.exe
744	backup.exe
832	backup.exe
1980	backup.exe
848	backup.exe
1984	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2984	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	28
PID 2808 wrote to memory of 2984	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	28
PID 2808 wrote to memory of 2720	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	29
PID 2808 wrote to memory of 2720	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	29
PID 2808 wrote to memory of 2720	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	29
PID 2808 wrote to memory of 2720	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	29
PID 2808 wrote to memory of 2784	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	30
PID 2808 wrote to memory of 2784	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	30
PID 2808 wrote to memory of 2784	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	30
PID 2808 wrote to memory of 2784	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	30
PID 2808 wrote to memory of 1876	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	31
PID 2808 wrote to memory of 1876	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	31
PID 2808 wrote to memory of 1876	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	31
PID 2808 wrote to memory of 1876	2808	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe	31
PID 2984 wrote to memory of 2496	2984	update.exe	32
PID 2984 wrote to memory of 2496	2984	update.exe	32
PID 2984 wrote to memory of 2496	2984	update.exe	32
PID 2984 wrote to memory of 2496	2984	update.exe	32
PID 2984 wrote to memory of 2496	2984	update.exe	32
PID 2984 wrote to memory of 2496	2984	update.exe	32
PID 2984 wrote to memory of 2496	2984	update.exe	32
PID 2496 wrote to memory of 2980	2496	backup.exe	34
PID 2496 wrote to memory of 2980	2496	backup.exe	34
PID 2496 wrote to memory of 2980	2496	backup.exe	34
PID 2496 wrote to memory of 2980	2496	backup.exe	34
PID 2496 wrote to memory of 2980	2496	backup.exe	34
PID 2496 wrote to memory of 2980	2496	backup.exe	34
PID 2496 wrote to memory of 2980	2496	backup.exe	34
PID 2980 wrote to memory of 756	2980	backup.exe	35
PID 2980 wrote to memory of 756	2980	backup.exe	35
PID 2980 wrote to memory of 756	2980	backup.exe	35
PID 2980 wrote to memory of 756	2980	backup.exe	35
PID 2980 wrote to memory of 756	2980	backup.exe	35
PID 2980 wrote to memory of 756	2980	backup.exe	35
PID 2980 wrote to memory of 756	2980	backup.exe	35
PID 2496 wrote to memory of 1376	2496	backup.exe	36
PID 2496 wrote to memory of 1376	2496	backup.exe	36
PID 2496 wrote to memory of 1376	2496	backup.exe	36
PID 2496 wrote to memory of 1376	2496	backup.exe	36
PID 2496 wrote to memory of 1376	2496	backup.exe	36
PID 2496 wrote to memory of 1376	2496	backup.exe	36
PID 2496 wrote to memory of 1376	2496	backup.exe	36
PID 1376 wrote to memory of 2880	1376	backup.exe	37
PID 1376 wrote to memory of 2880	1376	backup.exe	37
PID 1376 wrote to memory of 2880	1376	backup.exe	37
PID 1376 wrote to memory of 2880	1376	backup.exe	37
PID 1376 wrote to memory of 2880	1376	backup.exe	37
PID 1376 wrote to memory of 2880	1376	backup.exe	37
PID 1376 wrote to memory of 2880	1376	backup.exe	37
PID 2880 wrote to memory of 1856	2880	data.exe	38
PID 2880 wrote to memory of 1856	2880	data.exe	38
PID 2880 wrote to memory of 1856	2880	data.exe	38
PID 2880 wrote to memory of 1856	2880	data.exe	38
PID 2880 wrote to memory of 1856	2880	data.exe	38
PID 2880 wrote to memory of 1856	2880	data.exe	38
PID 2880 wrote to memory of 1856	2880	data.exe	38
PID 1376 wrote to memory of 1268	1376	backup.exe	39
PID 1376 wrote to memory of 1268	1376	backup.exe	39
PID 1376 wrote to memory of 1268	1376	backup.exe	39

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7a6075819eb3107c5005de18d7733f00_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2808
- C:\Users\Admin\AppData\Local\Temp\3018676206\update.exe
  C:\Users\Admin\AppData\Local\Temp\3018676206\update.exe C:\Users\Admin\AppData\Local\Temp\3018676206\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2984
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2496
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2980
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:756
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1376
    - - C:\Program Files\7-Zip\data.exe
        
        "C:\Program Files\7-Zip\data.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2880
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1856
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1268
      - C:\Program Files\Common Files\Microsoft Shared\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\update.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:920
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1444
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2844
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2364
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2304
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2232
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1588
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2704
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2492
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:796
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        
        PID:2236
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2132
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:3024
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:740
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:2736
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1712
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:484
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\update.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2704
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1532
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1692
      - C:\Program Files\Common Files\SpeechEngines\update.exe
        
        "C:\Program Files\Common Files\SpeechEngines\update.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1960
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2520
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Executes dropped EXE
        
        PID:2932
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1252
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1624
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1896
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:832
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2028
      - C:\Program Files\DVD Maker\it-IT\System Restore.exe
        
        "C:\Program Files\DVD Maker\it-IT\System Restore.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2540
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        Executes dropped EXE
        
        PID:2852
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Executes dropped EXE
        
        PID:1764
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2988
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1636
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1044
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Executes dropped EXE
        
        PID:2804
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2172
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2772
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2556
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:848
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Executes dropped EXE
      PID:1576
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe
  C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\
      4⤵
      Executes dropped EXE
      PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\
      4⤵
      Executes dropped EXE
      PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\
      4⤵
      Executes dropped EXE
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\
      4⤵
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\
      4⤵
      PID:524
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\
    3⤵
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\
    3⤵
    PID:2416
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:524
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
338KB

MD5
be79a0b9874dba4b21d49844dbb03d5c

SHA1
294461c5c258e8c14995cd939535ef2288807412

SHA256
001bba5bdad9575bfdc1fc424739d3696e2842370a0b48280ea9651b94f68104

SHA512
810421c72f2666657fbc578869a5038c5dbeb217b6c14fe434855ae016bec60412ca53e6f6f7ee5281e175f13f889a99789eb7bba1b75851f2c61ca29687172c

Download Submit
C:\PerfLogs\Admin\backup.exe

Filesize
338KB

MD5
be79a0b9874dba4b21d49844dbb03d5c

SHA1
294461c5c258e8c14995cd939535ef2288807412

SHA256
001bba5bdad9575bfdc1fc424739d3696e2842370a0b48280ea9651b94f68104

SHA512
810421c72f2666657fbc578869a5038c5dbeb217b6c14fe434855ae016bec60412ca53e6f6f7ee5281e175f13f889a99789eb7bba1b75851f2c61ca29687172c

Download Submit
C:\PerfLogs\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
C:\PerfLogs\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
338KB

MD5
5897aba0dd04c6f867c081e1e2c1ff6e

SHA1
1f37ca24065b76d795705dab4944fd05d26a0f61

SHA256
d11643314e895c0545e440e3b5168aa42025e41d83704a1c46692a48392d5479

SHA512
3a1c5db700e4a5f999f3daaa4bc64d184cbc66e3445bb75ce8ac3074825422e8c7bda1f7cb1c8b67a096ac56a689d0e08a636da509d184f12b85e8786931e0e5

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
338KB

MD5
5897aba0dd04c6f867c081e1e2c1ff6e

SHA1
1f37ca24065b76d795705dab4944fd05d26a0f61

SHA256
d11643314e895c0545e440e3b5168aa42025e41d83704a1c46692a48392d5479

SHA512
3a1c5db700e4a5f999f3daaa4bc64d184cbc66e3445bb75ce8ac3074825422e8c7bda1f7cb1c8b67a096ac56a689d0e08a636da509d184f12b85e8786931e0e5

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
338KB

MD5
3b6796e7e3404d7114bd5518ae616dc1

SHA1
9e50c82da873718e43badf7cbbd0e4ddcb08292c

SHA256
e56c95fb2ce805031f2bbfda64b770c50d11d8164615a50dc537ba58de4d9c13

SHA512
2da88604f778ca3c591faf27d0573ea666c0f9b834cdded5e5c8fdcbb0bb727daaf21401fa12a61ce50331a5af3664dcad5c8e0be2931f40900e96f65322a00d

Download Submit
C:\Program Files\7-Zip\data.exe

Filesize
338KB

MD5
3b6796e7e3404d7114bd5518ae616dc1

SHA1
9e50c82da873718e43badf7cbbd0e4ddcb08292c

SHA256
e56c95fb2ce805031f2bbfda64b770c50d11d8164615a50dc537ba58de4d9c13

SHA512
2da88604f778ca3c591faf27d0573ea666c0f9b834cdded5e5c8fdcbb0bb727daaf21401fa12a61ce50331a5af3664dcad5c8e0be2931f40900e96f65322a00d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
338KB

MD5
5aa72b2867799d07bf463f74ea9313e1

SHA1
649a4e0a5741daa5ce07a5d9aca43f0fb398cad0

SHA256
d774993bbc7bfebc784ec79f93f751015276d9b1df8554c18ff9dd9fef410ef9

SHA512
cbef66984d650eefca4e44db1be4a9028bc3eef44f7c368e2b400a105c0a78fa3e7c7a9fdad3f56798347bf32acdb17d0c6078f8a64fa506d696957ea552c5c6

Download Submit
C:\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
338KB

MD5
5aa72b2867799d07bf463f74ea9313e1

SHA1
649a4e0a5741daa5ce07a5d9aca43f0fb398cad0

SHA256
d774993bbc7bfebc784ec79f93f751015276d9b1df8554c18ff9dd9fef410ef9

SHA512
cbef66984d650eefca4e44db1be4a9028bc3eef44f7c368e2b400a105c0a78fa3e7c7a9fdad3f56798347bf32acdb17d0c6078f8a64fa506d696957ea552c5c6

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
338KB

MD5
0e6914017dafe30d2a59d5078572c9aa

SHA1
bfa3cc02756065bd6c1aab77e64f250ee59714e1

SHA256
f6e5864207f93d6b50b15dc5c126aaba8ae5b345008d4819bc87e0402ea5fbbb

SHA512
95086fd6e81ff7b55c95a87a73612233df3e2a61be7e07a3e5a350fe558225f9da043a2c2e50a9063b796b68e19d422a9210a306536526e4832b704794ae97b3

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
338KB

MD5
0e6914017dafe30d2a59d5078572c9aa

SHA1
bfa3cc02756065bd6c1aab77e64f250ee59714e1

SHA256
f6e5864207f93d6b50b15dc5c126aaba8ae5b345008d4819bc87e0402ea5fbbb

SHA512
95086fd6e81ff7b55c95a87a73612233df3e2a61be7e07a3e5a350fe558225f9da043a2c2e50a9063b796b68e19d422a9210a306536526e4832b704794ae97b3

Download Submit
C:\Program Files\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
C:\Program Files\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
C:\Users\Admin\AppData\Local\Temp\3018676206\update.exe

Filesize
338KB

MD5
e7d66fd4020b59b8491c2282a856643a

SHA1
76e16800e4589f693d469ede63ed47063cbb3206

SHA256
e3144bdcaf59930a09b046e2460e281c8e43a351ba428f3cd1249057f51afe11

SHA512
2e5c19ffb4549211643420f08ad5d50af371ac5f52f7edc6701848fd9733e83598d2a335ab503e546403cd11ae364d2a69f553fe5fb4131ffa5cdf910af8b06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3018676206\update.exe

Filesize
338KB

MD5
e7d66fd4020b59b8491c2282a856643a

SHA1
76e16800e4589f693d469ede63ed47063cbb3206

SHA256
e3144bdcaf59930a09b046e2460e281c8e43a351ba428f3cd1249057f51afe11

SHA512
2e5c19ffb4549211643420f08ad5d50af371ac5f52f7edc6701848fd9733e83598d2a335ab503e546403cd11ae364d2a69f553fe5fb4131ffa5cdf910af8b06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
338KB

MD5
c178cdfd51090b748f52461f9b415f86

SHA1
7e389697b4ac829cd5ecf3358680bccbcb5c87df

SHA256
e4cb7065e99f0bf75229c49aee3907647d6e43d9c78f9caec18032357b11d853

SHA512
d2beaca8c84354aeffb15fbba4f873b512b2e935f0fad29a5b0039f09f910d9791a819e7dcc815f2b1ce7ca2810741bd2fecbdf3092ad8a74bf01addea58c97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
338KB

MD5
2d8b3cd0d47613498ebd0f93f40cf046

SHA1
20fa985dc2d522d5654632621772cd2778633257

SHA256
e05fd8aea8a4508afc2c64288c7371cfa2a89e523cc9149ddbe7cabb96e9ac9d

SHA512
33009df1d7f1f01a8ff7d680e9377da45b0f466ea2873342fb2e1c553099df32e65cb218d8c3a0280248a4856cd5ef64bd6b1b327958d485344bbacda2c281f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
338KB

MD5
2d8b3cd0d47613498ebd0f93f40cf046

SHA1
20fa985dc2d522d5654632621772cd2778633257

SHA256
e05fd8aea8a4508afc2c64288c7371cfa2a89e523cc9149ddbe7cabb96e9ac9d

SHA512
33009df1d7f1f01a8ff7d680e9377da45b0f466ea2873342fb2e1c553099df32e65cb218d8c3a0280248a4856cd5ef64bd6b1b327958d485344bbacda2c281f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
338KB

MD5
c178cdfd51090b748f52461f9b415f86

SHA1
7e389697b4ac829cd5ecf3358680bccbcb5c87df

SHA256
e4cb7065e99f0bf75229c49aee3907647d6e43d9c78f9caec18032357b11d853

SHA512
d2beaca8c84354aeffb15fbba4f873b512b2e935f0fad29a5b0039f09f910d9791a819e7dcc815f2b1ce7ca2810741bd2fecbdf3092ad8a74bf01addea58c97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
338KB

MD5
c178cdfd51090b748f52461f9b415f86

SHA1
7e389697b4ac829cd5ecf3358680bccbcb5c87df

SHA256
e4cb7065e99f0bf75229c49aee3907647d6e43d9c78f9caec18032357b11d853

SHA512
d2beaca8c84354aeffb15fbba4f873b512b2e935f0fad29a5b0039f09f910d9791a819e7dcc815f2b1ce7ca2810741bd2fecbdf3092ad8a74bf01addea58c97b

Download Submit
C:\backup.exe

Filesize
338KB

MD5
1ca8503b337e76be1ebc12adaa1c7688

SHA1
bf088d2383d1707e8c71b86f44bf696253426184

SHA256
f99c89e79c0af3c597be645a287a3f7e9b2239bb28431cbf1086e0e9f1cd871f

SHA512
35cd45dc9149f88d08178da7f1c731fadacb83ffc0a6670f4ddb3cc1d090a460136dafe44674c01fa7a4347e8292f9cbc7eb990e1144340172a21160c1935aa7

Download Submit
C:\backup.exe

Filesize
338KB

MD5
1ca8503b337e76be1ebc12adaa1c7688

SHA1
bf088d2383d1707e8c71b86f44bf696253426184

SHA256
f99c89e79c0af3c597be645a287a3f7e9b2239bb28431cbf1086e0e9f1cd871f

SHA512
35cd45dc9149f88d08178da7f1c731fadacb83ffc0a6670f4ddb3cc1d090a460136dafe44674c01fa7a4347e8292f9cbc7eb990e1144340172a21160c1935aa7

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
338KB

MD5
be79a0b9874dba4b21d49844dbb03d5c

SHA1
294461c5c258e8c14995cd939535ef2288807412

SHA256
001bba5bdad9575bfdc1fc424739d3696e2842370a0b48280ea9651b94f68104

SHA512
810421c72f2666657fbc578869a5038c5dbeb217b6c14fe434855ae016bec60412ca53e6f6f7ee5281e175f13f889a99789eb7bba1b75851f2c61ca29687172c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
338KB

MD5
be79a0b9874dba4b21d49844dbb03d5c

SHA1
294461c5c258e8c14995cd939535ef2288807412

SHA256
001bba5bdad9575bfdc1fc424739d3696e2842370a0b48280ea9651b94f68104

SHA512
810421c72f2666657fbc578869a5038c5dbeb217b6c14fe434855ae016bec60412ca53e6f6f7ee5281e175f13f889a99789eb7bba1b75851f2c61ca29687172c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
338KB

MD5
be79a0b9874dba4b21d49844dbb03d5c

SHA1
294461c5c258e8c14995cd939535ef2288807412

SHA256
001bba5bdad9575bfdc1fc424739d3696e2842370a0b48280ea9651b94f68104

SHA512
810421c72f2666657fbc578869a5038c5dbeb217b6c14fe434855ae016bec60412ca53e6f6f7ee5281e175f13f889a99789eb7bba1b75851f2c61ca29687172c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
338KB

MD5
be79a0b9874dba4b21d49844dbb03d5c

SHA1
294461c5c258e8c14995cd939535ef2288807412

SHA256
001bba5bdad9575bfdc1fc424739d3696e2842370a0b48280ea9651b94f68104

SHA512
810421c72f2666657fbc578869a5038c5dbeb217b6c14fe434855ae016bec60412ca53e6f6f7ee5281e175f13f889a99789eb7bba1b75851f2c61ca29687172c

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
338KB

MD5
be79a0b9874dba4b21d49844dbb03d5c

SHA1
294461c5c258e8c14995cd939535ef2288807412

SHA256
001bba5bdad9575bfdc1fc424739d3696e2842370a0b48280ea9651b94f68104

SHA512
810421c72f2666657fbc578869a5038c5dbeb217b6c14fe434855ae016bec60412ca53e6f6f7ee5281e175f13f889a99789eb7bba1b75851f2c61ca29687172c

Download Submit
\PerfLogs\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\PerfLogs\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\PerfLogs\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\PerfLogs\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\PerfLogs\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
338KB

MD5
5897aba0dd04c6f867c081e1e2c1ff6e

SHA1
1f37ca24065b76d795705dab4944fd05d26a0f61

SHA256
d11643314e895c0545e440e3b5168aa42025e41d83704a1c46692a48392d5479

SHA512
3a1c5db700e4a5f999f3daaa4bc64d184cbc66e3445bb75ce8ac3074825422e8c7bda1f7cb1c8b67a096ac56a689d0e08a636da509d184f12b85e8786931e0e5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
338KB

MD5
5897aba0dd04c6f867c081e1e2c1ff6e

SHA1
1f37ca24065b76d795705dab4944fd05d26a0f61

SHA256
d11643314e895c0545e440e3b5168aa42025e41d83704a1c46692a48392d5479

SHA512
3a1c5db700e4a5f999f3daaa4bc64d184cbc66e3445bb75ce8ac3074825422e8c7bda1f7cb1c8b67a096ac56a689d0e08a636da509d184f12b85e8786931e0e5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
338KB

MD5
5897aba0dd04c6f867c081e1e2c1ff6e

SHA1
1f37ca24065b76d795705dab4944fd05d26a0f61

SHA256
d11643314e895c0545e440e3b5168aa42025e41d83704a1c46692a48392d5479

SHA512
3a1c5db700e4a5f999f3daaa4bc64d184cbc66e3445bb75ce8ac3074825422e8c7bda1f7cb1c8b67a096ac56a689d0e08a636da509d184f12b85e8786931e0e5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
338KB

MD5
5897aba0dd04c6f867c081e1e2c1ff6e

SHA1
1f37ca24065b76d795705dab4944fd05d26a0f61

SHA256
d11643314e895c0545e440e3b5168aa42025e41d83704a1c46692a48392d5479

SHA512
3a1c5db700e4a5f999f3daaa4bc64d184cbc66e3445bb75ce8ac3074825422e8c7bda1f7cb1c8b67a096ac56a689d0e08a636da509d184f12b85e8786931e0e5

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
338KB

MD5
5897aba0dd04c6f867c081e1e2c1ff6e

SHA1
1f37ca24065b76d795705dab4944fd05d26a0f61

SHA256
d11643314e895c0545e440e3b5168aa42025e41d83704a1c46692a48392d5479

SHA512
3a1c5db700e4a5f999f3daaa4bc64d184cbc66e3445bb75ce8ac3074825422e8c7bda1f7cb1c8b67a096ac56a689d0e08a636da509d184f12b85e8786931e0e5

Download Submit
\Program Files\7-Zip\data.exe

Filesize
338KB

MD5
3b6796e7e3404d7114bd5518ae616dc1

SHA1
9e50c82da873718e43badf7cbbd0e4ddcb08292c

SHA256
e56c95fb2ce805031f2bbfda64b770c50d11d8164615a50dc537ba58de4d9c13

SHA512
2da88604f778ca3c591faf27d0573ea666c0f9b834cdded5e5c8fdcbb0bb727daaf21401fa12a61ce50331a5af3664dcad5c8e0be2931f40900e96f65322a00d

Download Submit
\Program Files\7-Zip\data.exe

Filesize
338KB

MD5
3b6796e7e3404d7114bd5518ae616dc1

SHA1
9e50c82da873718e43badf7cbbd0e4ddcb08292c

SHA256
e56c95fb2ce805031f2bbfda64b770c50d11d8164615a50dc537ba58de4d9c13

SHA512
2da88604f778ca3c591faf27d0573ea666c0f9b834cdded5e5c8fdcbb0bb727daaf21401fa12a61ce50331a5af3664dcad5c8e0be2931f40900e96f65322a00d

Download Submit
\Program Files\7-Zip\data.exe

Filesize
338KB

MD5
3b6796e7e3404d7114bd5518ae616dc1

SHA1
9e50c82da873718e43badf7cbbd0e4ddcb08292c

SHA256
e56c95fb2ce805031f2bbfda64b770c50d11d8164615a50dc537ba58de4d9c13

SHA512
2da88604f778ca3c591faf27d0573ea666c0f9b834cdded5e5c8fdcbb0bb727daaf21401fa12a61ce50331a5af3664dcad5c8e0be2931f40900e96f65322a00d

Download Submit
\Program Files\7-Zip\data.exe

Filesize
338KB

MD5
3b6796e7e3404d7114bd5518ae616dc1

SHA1
9e50c82da873718e43badf7cbbd0e4ddcb08292c

SHA256
e56c95fb2ce805031f2bbfda64b770c50d11d8164615a50dc537ba58de4d9c13

SHA512
2da88604f778ca3c591faf27d0573ea666c0f9b834cdded5e5c8fdcbb0bb727daaf21401fa12a61ce50331a5af3664dcad5c8e0be2931f40900e96f65322a00d

Download Submit
\Program Files\7-Zip\data.exe

Filesize
338KB

MD5
3b6796e7e3404d7114bd5518ae616dc1

SHA1
9e50c82da873718e43badf7cbbd0e4ddcb08292c

SHA256
e56c95fb2ce805031f2bbfda64b770c50d11d8164615a50dc537ba58de4d9c13

SHA512
2da88604f778ca3c591faf27d0573ea666c0f9b834cdded5e5c8fdcbb0bb727daaf21401fa12a61ce50331a5af3664dcad5c8e0be2931f40900e96f65322a00d

Download Submit
\Program Files\Common Files\Microsoft Shared\update.exe

Filesize
338KB

MD5
5aa72b2867799d07bf463f74ea9313e1

SHA1
649a4e0a5741daa5ce07a5d9aca43f0fb398cad0

SHA256
d774993bbc7bfebc784ec79f93f751015276d9b1df8554c18ff9dd9fef410ef9

SHA512
cbef66984d650eefca4e44db1be4a9028bc3eef44f7c368e2b400a105c0a78fa3e7c7a9fdad3f56798347bf32acdb17d0c6078f8a64fa506d696957ea552c5c6

Download Submit
\Program Files\Common Files\backup.exe

Filesize
338KB

MD5
0e6914017dafe30d2a59d5078572c9aa

SHA1
bfa3cc02756065bd6c1aab77e64f250ee59714e1

SHA256
f6e5864207f93d6b50b15dc5c126aaba8ae5b345008d4819bc87e0402ea5fbbb

SHA512
95086fd6e81ff7b55c95a87a73612233df3e2a61be7e07a3e5a350fe558225f9da043a2c2e50a9063b796b68e19d422a9210a306536526e4832b704794ae97b3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
338KB

MD5
0e6914017dafe30d2a59d5078572c9aa

SHA1
bfa3cc02756065bd6c1aab77e64f250ee59714e1

SHA256
f6e5864207f93d6b50b15dc5c126aaba8ae5b345008d4819bc87e0402ea5fbbb

SHA512
95086fd6e81ff7b55c95a87a73612233df3e2a61be7e07a3e5a350fe558225f9da043a2c2e50a9063b796b68e19d422a9210a306536526e4832b704794ae97b3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
338KB

MD5
0e6914017dafe30d2a59d5078572c9aa

SHA1
bfa3cc02756065bd6c1aab77e64f250ee59714e1

SHA256
f6e5864207f93d6b50b15dc5c126aaba8ae5b345008d4819bc87e0402ea5fbbb

SHA512
95086fd6e81ff7b55c95a87a73612233df3e2a61be7e07a3e5a350fe558225f9da043a2c2e50a9063b796b68e19d422a9210a306536526e4832b704794ae97b3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
338KB

MD5
0e6914017dafe30d2a59d5078572c9aa

SHA1
bfa3cc02756065bd6c1aab77e64f250ee59714e1

SHA256
f6e5864207f93d6b50b15dc5c126aaba8ae5b345008d4819bc87e0402ea5fbbb

SHA512
95086fd6e81ff7b55c95a87a73612233df3e2a61be7e07a3e5a350fe558225f9da043a2c2e50a9063b796b68e19d422a9210a306536526e4832b704794ae97b3

Download Submit
\Program Files\Common Files\backup.exe

Filesize
338KB

MD5
0e6914017dafe30d2a59d5078572c9aa

SHA1
bfa3cc02756065bd6c1aab77e64f250ee59714e1

SHA256
f6e5864207f93d6b50b15dc5c126aaba8ae5b345008d4819bc87e0402ea5fbbb

SHA512
95086fd6e81ff7b55c95a87a73612233df3e2a61be7e07a3e5a350fe558225f9da043a2c2e50a9063b796b68e19d422a9210a306536526e4832b704794ae97b3

Download Submit
\Program Files\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\Program Files\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\Program Files\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\Program Files\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\Program Files\backup.exe

Filesize
338KB

MD5
3e68e4061a96baf11047542d5dc76ce8

SHA1
a18edd92c6e9738f4c5eb8100bd1e44f903877c2

SHA256
d207dffffbef71e86f3b58aa665788cc18f312cffe0c2982e51e22319521aaee

SHA512
e0721355ce44df1a15ac43f9447f010337ecc30875943b32066fbbe423936b2d5028d2b380065e0ee593407ce5f1ed7e888a3e1b4962d23e06ae35489419ae95

Download Submit
\Users\Admin\AppData\Local\Temp\3018676206\update.exe

Filesize
338KB

MD5
e7d66fd4020b59b8491c2282a856643a

SHA1
76e16800e4589f693d469ede63ed47063cbb3206

SHA256
e3144bdcaf59930a09b046e2460e281c8e43a351ba428f3cd1249057f51afe11

SHA512
2e5c19ffb4549211643420f08ad5d50af371ac5f52f7edc6701848fd9733e83598d2a335ab503e546403cd11ae364d2a69f553fe5fb4131ffa5cdf910af8b06b

Download Submit
\Users\Admin\AppData\Local\Temp\3018676206\update.exe

Filesize
338KB

MD5
e7d66fd4020b59b8491c2282a856643a

SHA1
76e16800e4589f693d469ede63ed47063cbb3206

SHA256
e3144bdcaf59930a09b046e2460e281c8e43a351ba428f3cd1249057f51afe11

SHA512
2e5c19ffb4549211643420f08ad5d50af371ac5f52f7edc6701848fd9733e83598d2a335ab503e546403cd11ae364d2a69f553fe5fb4131ffa5cdf910af8b06b

Download Submit
\Users\Admin\AppData\Local\Temp\3018676206\update.exe

Filesize
338KB

MD5
e7d66fd4020b59b8491c2282a856643a

SHA1
76e16800e4589f693d469ede63ed47063cbb3206

SHA256
e3144bdcaf59930a09b046e2460e281c8e43a351ba428f3cd1249057f51afe11

SHA512
2e5c19ffb4549211643420f08ad5d50af371ac5f52f7edc6701848fd9733e83598d2a335ab503e546403cd11ae364d2a69f553fe5fb4131ffa5cdf910af8b06b

Download Submit
\Users\Admin\AppData\Local\Temp\3018676206\update.exe

Filesize
338KB

MD5
e7d66fd4020b59b8491c2282a856643a

SHA1
76e16800e4589f693d469ede63ed47063cbb3206

SHA256
e3144bdcaf59930a09b046e2460e281c8e43a351ba428f3cd1249057f51afe11

SHA512
2e5c19ffb4549211643420f08ad5d50af371ac5f52f7edc6701848fd9733e83598d2a335ab503e546403cd11ae364d2a69f553fe5fb4131ffa5cdf910af8b06b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
338KB

MD5
c178cdfd51090b748f52461f9b415f86

SHA1
7e389697b4ac829cd5ecf3358680bccbcb5c87df

SHA256
e4cb7065e99f0bf75229c49aee3907647d6e43d9c78f9caec18032357b11d853

SHA512
d2beaca8c84354aeffb15fbba4f873b512b2e935f0fad29a5b0039f09f910d9791a819e7dcc815f2b1ce7ca2810741bd2fecbdf3092ad8a74bf01addea58c97b

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
338KB

MD5
c178cdfd51090b748f52461f9b415f86

SHA1
7e389697b4ac829cd5ecf3358680bccbcb5c87df

SHA256
e4cb7065e99f0bf75229c49aee3907647d6e43d9c78f9caec18032357b11d853

SHA512
d2beaca8c84354aeffb15fbba4f873b512b2e935f0fad29a5b0039f09f910d9791a819e7dcc815f2b1ce7ca2810741bd2fecbdf3092ad8a74bf01addea58c97b

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
338KB

MD5
2d8b3cd0d47613498ebd0f93f40cf046

SHA1
20fa985dc2d522d5654632621772cd2778633257

SHA256
e05fd8aea8a4508afc2c64288c7371cfa2a89e523cc9149ddbe7cabb96e9ac9d

SHA512
33009df1d7f1f01a8ff7d680e9377da45b0f466ea2873342fb2e1c553099df32e65cb218d8c3a0280248a4856cd5ef64bd6b1b327958d485344bbacda2c281f6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
338KB

MD5
2d8b3cd0d47613498ebd0f93f40cf046

SHA1
20fa985dc2d522d5654632621772cd2778633257

SHA256
e05fd8aea8a4508afc2c64288c7371cfa2a89e523cc9149ddbe7cabb96e9ac9d

SHA512
33009df1d7f1f01a8ff7d680e9377da45b0f466ea2873342fb2e1c553099df32e65cb218d8c3a0280248a4856cd5ef64bd6b1b327958d485344bbacda2c281f6

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
338KB

MD5
c178cdfd51090b748f52461f9b415f86

SHA1
7e389697b4ac829cd5ecf3358680bccbcb5c87df

SHA256
e4cb7065e99f0bf75229c49aee3907647d6e43d9c78f9caec18032357b11d853

SHA512
d2beaca8c84354aeffb15fbba4f873b512b2e935f0fad29a5b0039f09f910d9791a819e7dcc815f2b1ce7ca2810741bd2fecbdf3092ad8a74bf01addea58c97b

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
338KB

MD5
c178cdfd51090b748f52461f9b415f86

SHA1
7e389697b4ac829cd5ecf3358680bccbcb5c87df

SHA256
e4cb7065e99f0bf75229c49aee3907647d6e43d9c78f9caec18032357b11d853

SHA512
d2beaca8c84354aeffb15fbba4f873b512b2e935f0fad29a5b0039f09f910d9791a819e7dcc815f2b1ce7ca2810741bd2fecbdf3092ad8a74bf01addea58c97b

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
338KB

MD5
725cc59450602874d7980b606d4fb7ec

SHA1
ca193b241551ffcf10c1d3877f9e749a90d3b07a

SHA256
992b6b7b69177eb0ffb5c05a12a87ba6ea54de26c366655b7291edf86d394902

SHA512
85333ebde2b7b48d842d88d5b6fbe60f3b712dc30da6434c27c69f7aab7757052f37a87f7ef93525969b66c1aa431d109be54fabde95609ab3dca7361ed585f2

Download Submit
memory/620-246-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/620-244-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/756-112-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/920-217-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/920-202-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/920-180-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/920-210-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/920-212-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/920-213-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/920-239-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/1268-205-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1268-199-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1268-168-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1268-200-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1268-206-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/1268-177-0x00000000005E0000-0x00000000005FC000-memory.dmp

Filesize
112KB

Download
memory/1268-201-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1268-171-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1376-170-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1376-113-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1376-163-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1376-127-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1376-115-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1444-192-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1444-188-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1444-190-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1444-194-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1856-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1856-149-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1856-151-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1876-91-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1996-204-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1996-203-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1996-240-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1996-241-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/1996-242-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2332-219-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2332-221-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2332-222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2332-225-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2496-116-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2496-76-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2496-64-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2496-107-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2496-63-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2496-62-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2720-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2784-70-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2784-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2784-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2808-85-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2808-34-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2808-36-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2808-49-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2808-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2844-233-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2844-229-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/2844-230-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/2880-133-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2880-155-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2880-143-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2980-114-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-48-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-12-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads