ad947110ba97c0e2cc44cc201ea2c5438820c0286db911d92bd36f43bfd8ea43

Analysis

max time kernel
19s
max time network
18s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
Size

447KB
MD5

e9a9c09e827051e1b775a4e2daff0b70
SHA1

a3996bd3b37e73ea8365c47f70287d8d599650ed
SHA256

ad947110ba97c0e2cc44cc201ea2c5438820c0286db911d92bd36f43bfd8ea43
SHA512

78d07741b7a6360082f870250587d55ffd6125bdb13469c369fa9867274348f798b885e080ddbdcd23e1f5edad46e273f565cdd907c9c4dfc864bc7f483e94a1
SSDEEP

768:CpQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEm3:CeT7BVwxfvLFwjR3

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2968	backup.exe
2664	backup.exe
2792	System Restore.exe
2604	backup.exe
2172	backup.exe
2516	backup.exe
2180	backup.exe
520	backup.exe
1376	update.exe
2268	backup.exe
924	backup.exe
1816	backup.exe
1492	backup.exe
1404	backup.exe
2068	backup.exe
2924	backup.exe
3020	backup.exe
2184	backup.exe
2980	System Restore.exe
1060	backup.exe
1016	backup.exe
2088	backup.exe
1052	backup.exe
2940	data.exe
2164	backup.exe
2036	data.exe
1572	backup.exe
2836	backup.exe
1716	System Restore.exe
2588	backup.exe
2804	backup.exe
2708	data.exe
2788	backup.exe
2616	backup.exe
2760	backup.exe
2456	backup.exe
3060	backup.exe
1664	backup.exe
1528	backup.exe
1308	backup.exe
2136	backup.exe
1856	backup.exe
1812	backup.exe
2196	data.exe
2792	backup.exe
312	backup.exe
824	backup.exe
1136	backup.exe
1644	backup.exe
3048	backup.exe
2800	backup.exe
1860	backup.exe
440	update.exe
1036	backup.exe
1396	backup.exe
2964	backup.exe
972	backup.exe
1660	backup.exe
1872	backup.exe
2160	System Restore.exe
856	backup.exe
2012	backup.exe
1600	backup.exe
2244	data.exe

Loads dropped DLL 64 IoCs

pid	Process
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2604	backup.exe
2172	backup.exe
2172	backup.exe
2516	backup.exe
2516	backup.exe
2172	backup.exe
2172	backup.exe
520	backup.exe
1376	update.exe
1376	update.exe
1376	update.exe
1376	update.exe
1376	update.exe
2268	backup.exe
2268	backup.exe
2268	backup.exe
520	backup.exe
520	backup.exe
924	backup.exe
924	backup.exe
1816	backup.exe
1816	backup.exe
1816	backup.exe
1816	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
2604	backup.exe
2184	backup.exe
2184	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
2184	backup.exe
1404	backup.exe
2184	backup.exe
2184	backup.exe
2184	backup.exe
1404	backup.exe
1404	backup.exe
2184	backup.exe
2184	backup.exe
1404	backup.exe
1404	backup.exe
2184	backup.exe
2184	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
1404	backup.exe
2184	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2776-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0011000000014495-5.dat	upx
behavioral1/files/0x0011000000014495-9.dat	upx
behavioral1/files/0x0011000000014495-7.dat	upx
behavioral1/files/0x0011000000014495-12.dat	upx
behavioral1/files/0x0008000000014690-18.dat	upx
behavioral1/files/0x0008000000014690-16.dat	upx
behavioral1/files/0x0008000000014690-22.dat	upx
behavioral1/memory/2664-24-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2664-28-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000014ac5-29.dat	upx
behavioral1/files/0x0007000000014ac5-35.dat	upx
behavioral1/memory/2776-36-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000014ac5-31.dat	upx
behavioral1/files/0x00090000000146a9-40.dat	upx
behavioral1/files/0x00090000000146a9-46.dat	upx
behavioral1/files/0x00090000000146a9-42.dat	upx
behavioral1/files/0x0011000000014495-48.dat	upx
behavioral1/memory/2968-52-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000014b7a-58.dat	upx
behavioral1/files/0x00090000000146a9-61.dat	upx
behavioral1/files/0x0008000000014b7a-63.dat	upx
behavioral1/files/0x00060000000155a9-64.dat	upx
behavioral1/files/0x00060000000155fc-66.dat	upx
behavioral1/files/0x00060000000155fc-68.dat	upx
behavioral1/files/0x00060000000155fc-72.dat	upx
behavioral1/memory/2792-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00060000000155fc-76.dat	upx
behavioral1/files/0x0006000000015614-78.dat	upx
behavioral1/files/0x0006000000015614-80.dat	upx
behavioral1/memory/2604-81-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015614-85.dat	upx
behavioral1/memory/2180-88-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2516-90-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015c1b-94.dat	upx
behavioral1/files/0x0007000000015c1b-91.dat	upx
behavioral1/files/0x0007000000015c1b-99.dat	upx
behavioral1/files/0x0007000000015c1b-102.dat	upx
behavioral1/files/0x0006000000015c33-104.dat	upx
behavioral1/memory/2172-105-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c33-108.dat	upx
behavioral1/files/0x0006000000015c33-109.dat	upx
behavioral1/files/0x0006000000015c33-111.dat	upx
behavioral1/files/0x0006000000015c33-110.dat	upx
behavioral1/files/0x0006000000015c33-112.dat	upx
behavioral1/files/0x0006000000015c56-116.dat	upx
behavioral1/files/0x0006000000015c56-123.dat	upx
behavioral1/memory/2268-128-0x0000000000020000-0x000000000003C000-memory.dmp	upx
behavioral1/files/0x0006000000015c56-127.dat	upx
behavioral1/files/0x0006000000015c56-126.dat	upx
behavioral1/files/0x0006000000015c56-125.dat	upx
behavioral1/files/0x0006000000015c56-124.dat	upx
behavioral1/files/0x0006000000015c56-118.dat	upx
behavioral1/memory/520-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c6f-141.dat	upx
behavioral1/files/0x0006000000015c6f-137.dat	upx
behavioral1/files/0x0006000000015c6f-147.dat	upx
behavioral1/memory/2792-149-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2268-145-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1376-146-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015c4a-156.dat	upx
behavioral1/files/0x0007000000015c4a-152.dat	upx
behavioral1/files/0x0007000000015c4a-150.dat	upx
behavioral1/files/0x0007000000015c4a-159.dat	upx

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
2968	backup.exe
2664	backup.exe
2792	System Restore.exe
2604	backup.exe
2172	backup.exe
2516	backup.exe
2180	backup.exe
520	backup.exe
1376	update.exe
2268	backup.exe
924	backup.exe
1816	backup.exe
1492	backup.exe
1404	backup.exe
2068	backup.exe
2924	backup.exe
3020	backup.exe
2184	backup.exe
1060	backup.exe
2980	System Restore.exe
2088	backup.exe
1016	backup.exe
1052	backup.exe
2940	data.exe
2164	backup.exe
2036	data.exe
1572	backup.exe
2836	backup.exe
1716	System Restore.exe
2588	backup.exe
2804	backup.exe
2708	data.exe
2788	backup.exe
2616	backup.exe
2456	backup.exe
2760	backup.exe
1664	backup.exe
3060	backup.exe
1528	backup.exe
1308	backup.exe
2136	backup.exe
1856	backup.exe
1812	backup.exe
2196	data.exe
2792	backup.exe
312	backup.exe
824	backup.exe
1644	backup.exe
1136	backup.exe
3048	backup.exe
2800	backup.exe
1860	backup.exe
1036	backup.exe
2964	backup.exe
1396	backup.exe
440	update.exe
972	backup.exe
1660	backup.exe
1872	backup.exe
2160	System Restore.exe
856	backup.exe
2012	backup.exe
1600	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2968	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	28
PID 2776 wrote to memory of 2968	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	28
PID 2776 wrote to memory of 2968	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	28
PID 2776 wrote to memory of 2968	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	28
PID 2776 wrote to memory of 2664	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	29
PID 2776 wrote to memory of 2664	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	29
PID 2776 wrote to memory of 2664	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	29
PID 2776 wrote to memory of 2664	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	29
PID 2776 wrote to memory of 2792	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	30
PID 2776 wrote to memory of 2792	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	30
PID 2776 wrote to memory of 2792	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	30
PID 2776 wrote to memory of 2792	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	30
PID 2776 wrote to memory of 2604	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	31
PID 2776 wrote to memory of 2604	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	31
PID 2776 wrote to memory of 2604	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	31
PID 2776 wrote to memory of 2604	2776	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe	31
PID 2968 wrote to memory of 2172	2968	backup.exe	32
PID 2968 wrote to memory of 2172	2968	backup.exe	32
PID 2968 wrote to memory of 2172	2968	backup.exe	32
PID 2968 wrote to memory of 2172	2968	backup.exe	32
PID 2172 wrote to memory of 2516	2172	backup.exe	34
PID 2172 wrote to memory of 2516	2172	backup.exe	34
PID 2172 wrote to memory of 2516	2172	backup.exe	34
PID 2172 wrote to memory of 2516	2172	backup.exe	34
PID 2516 wrote to memory of 2180	2516	backup.exe	35
PID 2516 wrote to memory of 2180	2516	backup.exe	35
PID 2516 wrote to memory of 2180	2516	backup.exe	35
PID 2516 wrote to memory of 2180	2516	backup.exe	35
PID 2172 wrote to memory of 520	2172	backup.exe	36
PID 2172 wrote to memory of 520	2172	backup.exe	36
PID 2172 wrote to memory of 520	2172	backup.exe	36
PID 2172 wrote to memory of 520	2172	backup.exe	36
PID 520 wrote to memory of 1376	520	backup.exe	37
PID 520 wrote to memory of 1376	520	backup.exe	37
PID 520 wrote to memory of 1376	520	backup.exe	37
PID 520 wrote to memory of 1376	520	backup.exe	37
PID 520 wrote to memory of 1376	520	backup.exe	37
PID 520 wrote to memory of 1376	520	backup.exe	37
PID 520 wrote to memory of 1376	520	backup.exe	37
PID 1376 wrote to memory of 2268	1376	update.exe	38
PID 1376 wrote to memory of 2268	1376	update.exe	38
PID 1376 wrote to memory of 2268	1376	update.exe	38
PID 1376 wrote to memory of 2268	1376	update.exe	38
PID 1376 wrote to memory of 2268	1376	update.exe	38
PID 1376 wrote to memory of 2268	1376	update.exe	38
PID 1376 wrote to memory of 2268	1376	update.exe	38
PID 520 wrote to memory of 924	520	backup.exe	41
PID 520 wrote to memory of 924	520	backup.exe	41
PID 520 wrote to memory of 924	520	backup.exe	41
PID 520 wrote to memory of 924	520	backup.exe	41
PID 924 wrote to memory of 1816	924	backup.exe	39
PID 924 wrote to memory of 1816	924	backup.exe	39
PID 924 wrote to memory of 1816	924	backup.exe	39
PID 924 wrote to memory of 1816	924	backup.exe	39
PID 1816 wrote to memory of 1492	1816	backup.exe	40
PID 1816 wrote to memory of 1492	1816	backup.exe	40
PID 1816 wrote to memory of 1492	1816	backup.exe	40
PID 1816 wrote to memory of 1492	1816	backup.exe	40
PID 1816 wrote to memory of 1404	1816	backup.exe	42
PID 1816 wrote to memory of 1404	1816	backup.exe	42
PID 1816 wrote to memory of 1404	1816	backup.exe	42
PID 1816 wrote to memory of 1404	1816	backup.exe	42
PID 1404 wrote to memory of 2068	1404	backup.exe	43
PID 1404 wrote to memory of 2068	1404	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e9a9c09e827051e1b775a4e2daff0b70.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776
- C:\Users\Admin\AppData\Local\Temp\2373737469\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2373737469\backup.exe C:\Users\Admin\AppData\Local\Temp\2373737469\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2968
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2172
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2516
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2180
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Program Files\7-Zip\update.exe
        
        "C:\Program Files\7-Zip\update.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1376
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2268
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:924
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2488
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1472
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        
        PID:2240
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:2864
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:2416
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:2204
      - C:\Program Files\DVD Maker\es-ES\update.exe
        
        "C:\Program Files\DVD Maker\es-ES\update.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:2652
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2524
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1484
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2840
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1432
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2020
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2608
    - - C:\Program Files\Microsoft Games\data.exe
        
        "C:\Program Files\Microsoft Games\data.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2228
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:972
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1396
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2012
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:2644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2256
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2528
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:2392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2456
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1244
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:968
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:2856
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:624
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:2052
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2164
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1612
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        
        PID:2596
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1124
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1936
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1132
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe
  "C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe
  C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:824
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0a853c6496d133da\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0a853c6496d133da\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0a853c6496d133da\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8499fd10d4591903\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8499fd10d4591903\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8499fd10d4591903\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ad460456d2632e57\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ad460456d2632e57\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ad460456d2632e57\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cd6e5679162fb2b4\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cd6e5679162fb2b4\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cd6e5679162fb2b4\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bdaee6cfbc3c4e3a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bdaee6cfbc3c4e3a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bdaee6cfbc3c4e3a\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_bfdffa97b92ad1d4\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_bfdffa97b92ad1d4\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_bfdffa97b92ad1d4\
      4⤵
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a3b36275e4eccbd8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a3b36275e4eccbd8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a3b36275e4eccbd8\
      4⤵
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b473cc53b2be5f10\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b473cc53b2be5f10\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b473cc53b2be5f10\
      4⤵
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8e769c50632a79b\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8e769c50632a79b\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8e769c50632a79b\
      4⤵
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_10bf26ce3fd8b82f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_10bf26ce3fd8b82f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_10bf26ce3fd8b82f\
      4⤵
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_342593b4ce8f30ef\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_342593b4ce8f30ef\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_342593b4ce8f30ef\
      4⤵
      PID:1332
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\
    3⤵
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\
    3⤵
    PID:2476
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\
    3⤵
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\
    3⤵
    PID:888
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\data.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - System policy modification
  PID:2244

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1816
- C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1492
- C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1404
- - C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2068
- - C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2924
- - C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1060
- - C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2940
- - C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1016
- - C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2836
- - C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1716
- - C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2588
- - C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2036
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2788
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2760
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3060
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1308
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1856
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2792
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:312
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1644
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3048
  - - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\update.exe
      "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:440
- - C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:856
- - C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:2592
- - C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
    3⤵
    PID:756
- - C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
    3⤵
    PID:2068
- - C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
    3⤵
    PID:2232
- - C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
    3⤵
    PID:1600
- - C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
    3⤵
    PID:2132
- - C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
    3⤵
    PID:740
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
  2⤵
  PID:268
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
    3⤵
    PID:2260
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
    3⤵
    PID:2084
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
    3⤵
    PID:1648
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
    3⤵
    PID:2352
- - C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
    3⤵
    PID:2800
- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
  2⤵
  PID:2700
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
  2⤵
  PID:2124
- C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
  2⤵
  PID:1000
- C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
  2⤵
  PID:2312
- C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
  2⤵
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
37ff515f02bbc9c49832789e7f018adc

SHA1
3f5e1c3cea8ccd39512c71d367d01c77b87877d5

SHA256
3b33a3038fa1de8e4320b805cb4a34c4240726ce5f59e193dbf4a52cd7ce9b37

SHA512
923a89b11e1e8014f8dcc9d81a68d8dda485d5508636268ac75216fe680ee8e600e89a102fe5be2db84f77b060a261715a789629b911ebd80e0ff34a802451f0

Download Submit
C:\PerfLogs\backup.exe

Filesize
447KB

MD5
1d30a9ddc7d388d7d1be3fe992cdaf02

SHA1
e209d3058d027450a057d3c902143d8f2de10354

SHA256
50c6a966be8209521dd5f9d6d97705f7d3d254d19d535388844f70dbab64304e

SHA512
c12f0d88573d9da8ff7463da5d4703e3e80b7cccf42646826736a1ee343ce61c607f07f2820e9e58df9e92aeb6f6011dcb209b08ec2d512176def7ce620990d2

Download Submit
C:\PerfLogs\backup.exe

Filesize
447KB

MD5
1d30a9ddc7d388d7d1be3fe992cdaf02

SHA1
e209d3058d027450a057d3c902143d8f2de10354

SHA256
50c6a966be8209521dd5f9d6d97705f7d3d254d19d535388844f70dbab64304e

SHA512
c12f0d88573d9da8ff7463da5d4703e3e80b7cccf42646826736a1ee343ce61c607f07f2820e9e58df9e92aeb6f6011dcb209b08ec2d512176def7ce620990d2

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
ffc5117ada91eaf22ce12e818c201b05

SHA1
54b3fafadb31ce5fdb1e5e44a8cd5370a9d9c8f4

SHA256
31ef75978046b82f5f918067cc4adbb8434ea0ef53c759d297f476061fca1b39

SHA512
1953564a709a4918006f6cb2d08dace04118792133e0c421d38889743394bf07192562e6842295c9825d6760484ebbc8f40ad59ec8c80aefa2aaa0d2bb820072

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
ffc5117ada91eaf22ce12e818c201b05

SHA1
54b3fafadb31ce5fdb1e5e44a8cd5370a9d9c8f4

SHA256
31ef75978046b82f5f918067cc4adbb8434ea0ef53c759d297f476061fca1b39

SHA512
1953564a709a4918006f6cb2d08dace04118792133e0c421d38889743394bf07192562e6842295c9825d6760484ebbc8f40ad59ec8c80aefa2aaa0d2bb820072

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
447KB

MD5
1f1020926841cdf01020d4c462fef2a1

SHA1
b981c3e920d96b467647e24e9f4fc208b222ebba

SHA256
f2fc86572bcac4af0e085051edb71531f1ec578410f423ef3f102242e7412712

SHA512
e24e7308038298edf4441959d55a92aca2cf583bbc878f14fec1a65fd4e85518959a05e2e28d1a04f194726cf4da132da5702f2159c396f72ed0b418ede83e80

Download Submit
C:\Program Files\7-Zip\update.exe

Filesize
447KB

MD5
1f1020926841cdf01020d4c462fef2a1

SHA1
b981c3e920d96b467647e24e9f4fc208b222ebba

SHA256
f2fc86572bcac4af0e085051edb71531f1ec578410f423ef3f102242e7412712

SHA512
e24e7308038298edf4441959d55a92aca2cf583bbc878f14fec1a65fd4e85518959a05e2e28d1a04f194726cf4da132da5702f2159c396f72ed0b418ede83e80

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
b235bff3c219c076da73e7384d46c62a

SHA1
d4e07f574a1b051743814774270f51a439b314da

SHA256
6d254138c42ad27112e8d59fe44e16c0d94eb1afd3841e10e6df5d9c6318975c

SHA512
d34599c0c5aa5de9f6f2024d478105bf317ad544c3eea175e2b89d237d3f7e2c21c40bd60d56416c9347a61708f7499241d2c636356557ee91c6e744e1a6a54a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
08f7f180a478a50a87b18f07f3f2b4bd

SHA1
e17b18e41ee8fe94ad1f7449fea2c05af7de58e3

SHA256
c8ef7adeb568bac5f57396f96f6f6e8f874a34f8c796e521334a2c48d158f359

SHA512
601510bbdd432f2604723babbe572dcf3916067af85eaa6782d44d76a774fffcce54551200f1336156338267222561f8481ee9db046301d0f22dccf6167ed7d9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
08f7f180a478a50a87b18f07f3f2b4bd

SHA1
e17b18e41ee8fe94ad1f7449fea2c05af7de58e3

SHA256
c8ef7adeb568bac5f57396f96f6f6e8f874a34f8c796e521334a2c48d158f359

SHA512
601510bbdd432f2604723babbe572dcf3916067af85eaa6782d44d76a774fffcce54551200f1336156338267222561f8481ee9db046301d0f22dccf6167ed7d9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
447KB

MD5
b235bff3c219c076da73e7384d46c62a

SHA1
d4e07f574a1b051743814774270f51a439b314da

SHA256
6d254138c42ad27112e8d59fe44e16c0d94eb1afd3841e10e6df5d9c6318975c

SHA512
d34599c0c5aa5de9f6f2024d478105bf317ad544c3eea175e2b89d237d3f7e2c21c40bd60d56416c9347a61708f7499241d2c636356557ee91c6e744e1a6a54a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
447KB

MD5
b235bff3c219c076da73e7384d46c62a

SHA1
d4e07f574a1b051743814774270f51a439b314da

SHA256
6d254138c42ad27112e8d59fe44e16c0d94eb1afd3841e10e6df5d9c6318975c

SHA512
d34599c0c5aa5de9f6f2024d478105bf317ad544c3eea175e2b89d237d3f7e2c21c40bd60d56416c9347a61708f7499241d2c636356557ee91c6e744e1a6a54a

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
1b72ce0b4435db3a3b27c36dbcde5c57

SHA1
b49e260b93b4a1eed0aa1c1d6a3b910d3059867e

SHA256
a0227841c55f83c1b254ce0fa839b9e60454e96c70070501911113abcac190d4

SHA512
6fa9ac45d4032af1a27861b9331121ab96f31ade4aa18fd2f90321abfa2fabfd0084c791fba1a83d7d96959ed5fe6963e97bb309a5b93927e613912dc9e16945

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
1b72ce0b4435db3a3b27c36dbcde5c57

SHA1
b49e260b93b4a1eed0aa1c1d6a3b910d3059867e

SHA256
a0227841c55f83c1b254ce0fa839b9e60454e96c70070501911113abcac190d4

SHA512
6fa9ac45d4032af1a27861b9331121ab96f31ade4aa18fd2f90321abfa2fabfd0084c791fba1a83d7d96959ed5fe6963e97bb309a5b93927e613912dc9e16945

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
4f9eb1aa4a7b9b4769aefcf53505cc2e

SHA1
bdd4570b729fd9d1414368e397fa16aa2066512e

SHA256
7d4e91b76caf3e8d08738e18187d60bbf7a060c547286f17e6fcbd9bcf30d6df

SHA512
8224870801619cc85764d7b9e09de3e21a64c7f0b9d1c5c2e5014de11f3e954dd809725a725e2a2133f7ea809c6e681fcbbfa94d8a9c4f1b2d91ee55f6ec0ced

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
4f9eb1aa4a7b9b4769aefcf53505cc2e

SHA1
bdd4570b729fd9d1414368e397fa16aa2066512e

SHA256
7d4e91b76caf3e8d08738e18187d60bbf7a060c547286f17e6fcbd9bcf30d6df

SHA512
8224870801619cc85764d7b9e09de3e21a64c7f0b9d1c5c2e5014de11f3e954dd809725a725e2a2133f7ea809c6e681fcbbfa94d8a9c4f1b2d91ee55f6ec0ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\2373737469\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2373737469\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2373737469\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
447KB

MD5
c78b17468b681d1973e480f97dc2ca83

SHA1
d9b99fb95add720a5ca2df4df1ddbf350cde6b32

SHA256
b20a8342a18ae96e63f8def6abcd76f00f84119acf358dfbfc727b7289f2ab35

SHA512
27b1408e4bbaef6d4acdfec73cddf3e001f65e36816342cc7d483d1372c53d116fd4704553cf0e12449a25057433cbabe74769459745d67320e66dd497d49ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
447KB

MD5
c78b17468b681d1973e480f97dc2ca83

SHA1
d9b99fb95add720a5ca2df4df1ddbf350cde6b32

SHA256
b20a8342a18ae96e63f8def6abcd76f00f84119acf358dfbfc727b7289f2ab35

SHA512
27b1408e4bbaef6d4acdfec73cddf3e001f65e36816342cc7d483d1372c53d116fd4704553cf0e12449a25057433cbabe74769459745d67320e66dd497d49ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
447KB

MD5
c78b17468b681d1973e480f97dc2ca83

SHA1
d9b99fb95add720a5ca2df4df1ddbf350cde6b32

SHA256
b20a8342a18ae96e63f8def6abcd76f00f84119acf358dfbfc727b7289f2ab35

SHA512
27b1408e4bbaef6d4acdfec73cddf3e001f65e36816342cc7d483d1372c53d116fd4704553cf0e12449a25057433cbabe74769459745d67320e66dd497d49ce6

Download Submit
C:\backup.exe

Filesize
447KB

MD5
587c2c20ebfb0d44905586f7305ccbc1

SHA1
d0c0922955114add94a69ca4fb017da71b6d7b95

SHA256
40a6f7c7a34dc3d22769901acdb96fcde9d8737ca0820ff553ad7ee4c27398bb

SHA512
6e419f79c50e7d1d194b76d1ec2db7d8a7e41618d0017b7ece2e847b8971d2dd90228e6a37868d5a15d9b85224c24bd53cf7a159c19cb894339868366a4742aa

Download Submit
C:\backup.exe

Filesize
447KB

MD5
587c2c20ebfb0d44905586f7305ccbc1

SHA1
d0c0922955114add94a69ca4fb017da71b6d7b95

SHA256
40a6f7c7a34dc3d22769901acdb96fcde9d8737ca0820ff553ad7ee4c27398bb

SHA512
6e419f79c50e7d1d194b76d1ec2db7d8a7e41618d0017b7ece2e847b8971d2dd90228e6a37868d5a15d9b85224c24bd53cf7a159c19cb894339868366a4742aa

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
37ff515f02bbc9c49832789e7f018adc

SHA1
3f5e1c3cea8ccd39512c71d367d01c77b87877d5

SHA256
3b33a3038fa1de8e4320b805cb4a34c4240726ce5f59e193dbf4a52cd7ce9b37

SHA512
923a89b11e1e8014f8dcc9d81a68d8dda485d5508636268ac75216fe680ee8e600e89a102fe5be2db84f77b060a261715a789629b911ebd80e0ff34a802451f0

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
37ff515f02bbc9c49832789e7f018adc

SHA1
3f5e1c3cea8ccd39512c71d367d01c77b87877d5

SHA256
3b33a3038fa1de8e4320b805cb4a34c4240726ce5f59e193dbf4a52cd7ce9b37

SHA512
923a89b11e1e8014f8dcc9d81a68d8dda485d5508636268ac75216fe680ee8e600e89a102fe5be2db84f77b060a261715a789629b911ebd80e0ff34a802451f0

Download Submit
\PerfLogs\backup.exe

Filesize
447KB

MD5
1d30a9ddc7d388d7d1be3fe992cdaf02

SHA1
e209d3058d027450a057d3c902143d8f2de10354

SHA256
50c6a966be8209521dd5f9d6d97705f7d3d254d19d535388844f70dbab64304e

SHA512
c12f0d88573d9da8ff7463da5d4703e3e80b7cccf42646826736a1ee343ce61c607f07f2820e9e58df9e92aeb6f6011dcb209b08ec2d512176def7ce620990d2

Download Submit
\PerfLogs\backup.exe

Filesize
447KB

MD5
1d30a9ddc7d388d7d1be3fe992cdaf02

SHA1
e209d3058d027450a057d3c902143d8f2de10354

SHA256
50c6a966be8209521dd5f9d6d97705f7d3d254d19d535388844f70dbab64304e

SHA512
c12f0d88573d9da8ff7463da5d4703e3e80b7cccf42646826736a1ee343ce61c607f07f2820e9e58df9e92aeb6f6011dcb209b08ec2d512176def7ce620990d2

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
ffc5117ada91eaf22ce12e818c201b05

SHA1
54b3fafadb31ce5fdb1e5e44a8cd5370a9d9c8f4

SHA256
31ef75978046b82f5f918067cc4adbb8434ea0ef53c759d297f476061fca1b39

SHA512
1953564a709a4918006f6cb2d08dace04118792133e0c421d38889743394bf07192562e6842295c9825d6760484ebbc8f40ad59ec8c80aefa2aaa0d2bb820072

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
ffc5117ada91eaf22ce12e818c201b05

SHA1
54b3fafadb31ce5fdb1e5e44a8cd5370a9d9c8f4

SHA256
31ef75978046b82f5f918067cc4adbb8434ea0ef53c759d297f476061fca1b39

SHA512
1953564a709a4918006f6cb2d08dace04118792133e0c421d38889743394bf07192562e6842295c9825d6760484ebbc8f40ad59ec8c80aefa2aaa0d2bb820072

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
ffc5117ada91eaf22ce12e818c201b05

SHA1
54b3fafadb31ce5fdb1e5e44a8cd5370a9d9c8f4

SHA256
31ef75978046b82f5f918067cc4adbb8434ea0ef53c759d297f476061fca1b39

SHA512
1953564a709a4918006f6cb2d08dace04118792133e0c421d38889743394bf07192562e6842295c9825d6760484ebbc8f40ad59ec8c80aefa2aaa0d2bb820072

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
ffc5117ada91eaf22ce12e818c201b05

SHA1
54b3fafadb31ce5fdb1e5e44a8cd5370a9d9c8f4

SHA256
31ef75978046b82f5f918067cc4adbb8434ea0ef53c759d297f476061fca1b39

SHA512
1953564a709a4918006f6cb2d08dace04118792133e0c421d38889743394bf07192562e6842295c9825d6760484ebbc8f40ad59ec8c80aefa2aaa0d2bb820072

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
447KB

MD5
ffc5117ada91eaf22ce12e818c201b05

SHA1
54b3fafadb31ce5fdb1e5e44a8cd5370a9d9c8f4

SHA256
31ef75978046b82f5f918067cc4adbb8434ea0ef53c759d297f476061fca1b39

SHA512
1953564a709a4918006f6cb2d08dace04118792133e0c421d38889743394bf07192562e6842295c9825d6760484ebbc8f40ad59ec8c80aefa2aaa0d2bb820072

Download Submit
\Program Files\7-Zip\update.exe

Filesize
447KB

MD5
1f1020926841cdf01020d4c462fef2a1

SHA1
b981c3e920d96b467647e24e9f4fc208b222ebba

SHA256
f2fc86572bcac4af0e085051edb71531f1ec578410f423ef3f102242e7412712

SHA512
e24e7308038298edf4441959d55a92aca2cf583bbc878f14fec1a65fd4e85518959a05e2e28d1a04f194726cf4da132da5702f2159c396f72ed0b418ede83e80

Download Submit
\Program Files\7-Zip\update.exe

Filesize
447KB

MD5
1f1020926841cdf01020d4c462fef2a1

SHA1
b981c3e920d96b467647e24e9f4fc208b222ebba

SHA256
f2fc86572bcac4af0e085051edb71531f1ec578410f423ef3f102242e7412712

SHA512
e24e7308038298edf4441959d55a92aca2cf583bbc878f14fec1a65fd4e85518959a05e2e28d1a04f194726cf4da132da5702f2159c396f72ed0b418ede83e80

Download Submit
\Program Files\7-Zip\update.exe

Filesize
447KB

MD5
1f1020926841cdf01020d4c462fef2a1

SHA1
b981c3e920d96b467647e24e9f4fc208b222ebba

SHA256
f2fc86572bcac4af0e085051edb71531f1ec578410f423ef3f102242e7412712

SHA512
e24e7308038298edf4441959d55a92aca2cf583bbc878f14fec1a65fd4e85518959a05e2e28d1a04f194726cf4da132da5702f2159c396f72ed0b418ede83e80

Download Submit
\Program Files\7-Zip\update.exe

Filesize
447KB

MD5
1f1020926841cdf01020d4c462fef2a1

SHA1
b981c3e920d96b467647e24e9f4fc208b222ebba

SHA256
f2fc86572bcac4af0e085051edb71531f1ec578410f423ef3f102242e7412712

SHA512
e24e7308038298edf4441959d55a92aca2cf583bbc878f14fec1a65fd4e85518959a05e2e28d1a04f194726cf4da132da5702f2159c396f72ed0b418ede83e80

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
b235bff3c219c076da73e7384d46c62a

SHA1
d4e07f574a1b051743814774270f51a439b314da

SHA256
6d254138c42ad27112e8d59fe44e16c0d94eb1afd3841e10e6df5d9c6318975c

SHA512
d34599c0c5aa5de9f6f2024d478105bf317ad544c3eea175e2b89d237d3f7e2c21c40bd60d56416c9347a61708f7499241d2c636356557ee91c6e744e1a6a54a

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
b235bff3c219c076da73e7384d46c62a

SHA1
d4e07f574a1b051743814774270f51a439b314da

SHA256
6d254138c42ad27112e8d59fe44e16c0d94eb1afd3841e10e6df5d9c6318975c

SHA512
d34599c0c5aa5de9f6f2024d478105bf317ad544c3eea175e2b89d237d3f7e2c21c40bd60d56416c9347a61708f7499241d2c636356557ee91c6e744e1a6a54a

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
08f7f180a478a50a87b18f07f3f2b4bd

SHA1
e17b18e41ee8fe94ad1f7449fea2c05af7de58e3

SHA256
c8ef7adeb568bac5f57396f96f6f6e8f874a34f8c796e521334a2c48d158f359

SHA512
601510bbdd432f2604723babbe572dcf3916067af85eaa6782d44d76a774fffcce54551200f1336156338267222561f8481ee9db046301d0f22dccf6167ed7d9

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
08f7f180a478a50a87b18f07f3f2b4bd

SHA1
e17b18e41ee8fe94ad1f7449fea2c05af7de58e3

SHA256
c8ef7adeb568bac5f57396f96f6f6e8f874a34f8c796e521334a2c48d158f359

SHA512
601510bbdd432f2604723babbe572dcf3916067af85eaa6782d44d76a774fffcce54551200f1336156338267222561f8481ee9db046301d0f22dccf6167ed7d9

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
447KB

MD5
b235bff3c219c076da73e7384d46c62a

SHA1
d4e07f574a1b051743814774270f51a439b314da

SHA256
6d254138c42ad27112e8d59fe44e16c0d94eb1afd3841e10e6df5d9c6318975c

SHA512
d34599c0c5aa5de9f6f2024d478105bf317ad544c3eea175e2b89d237d3f7e2c21c40bd60d56416c9347a61708f7499241d2c636356557ee91c6e744e1a6a54a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
447KB

MD5
b235bff3c219c076da73e7384d46c62a

SHA1
d4e07f574a1b051743814774270f51a439b314da

SHA256
6d254138c42ad27112e8d59fe44e16c0d94eb1afd3841e10e6df5d9c6318975c

SHA512
d34599c0c5aa5de9f6f2024d478105bf317ad544c3eea175e2b89d237d3f7e2c21c40bd60d56416c9347a61708f7499241d2c636356557ee91c6e744e1a6a54a

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
447KB

MD5
16ad1131668e6e379e4e2184fc8c62c8

SHA1
3f7e695978b4c7848877ce3855a68691b85fb437

SHA256
ec1c367b8a2976a4da114fdf7ab504c9d45397207ec13e9fda5f48b11b23c93f

SHA512
f19d94311502d5ab0b76955b481d4bff73c89813b4aca02befbe8f652df2ec2a0c309a7a7f2ba89dce0495650719fc9c9809ae9990af2d7e7efa6262a62c0bed

Download Submit
\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
1b72ce0b4435db3a3b27c36dbcde5c57

SHA1
b49e260b93b4a1eed0aa1c1d6a3b910d3059867e

SHA256
a0227841c55f83c1b254ce0fa839b9e60454e96c70070501911113abcac190d4

SHA512
6fa9ac45d4032af1a27861b9331121ab96f31ade4aa18fd2f90321abfa2fabfd0084c791fba1a83d7d96959ed5fe6963e97bb309a5b93927e613912dc9e16945

Download Submit
\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
1b72ce0b4435db3a3b27c36dbcde5c57

SHA1
b49e260b93b4a1eed0aa1c1d6a3b910d3059867e

SHA256
a0227841c55f83c1b254ce0fa839b9e60454e96c70070501911113abcac190d4

SHA512
6fa9ac45d4032af1a27861b9331121ab96f31ade4aa18fd2f90321abfa2fabfd0084c791fba1a83d7d96959ed5fe6963e97bb309a5b93927e613912dc9e16945

Download Submit
\Program Files\backup.exe

Filesize
447KB

MD5
4f9eb1aa4a7b9b4769aefcf53505cc2e

SHA1
bdd4570b729fd9d1414368e397fa16aa2066512e

SHA256
7d4e91b76caf3e8d08738e18187d60bbf7a060c547286f17e6fcbd9bcf30d6df

SHA512
8224870801619cc85764d7b9e09de3e21a64c7f0b9d1c5c2e5014de11f3e954dd809725a725e2a2133f7ea809c6e681fcbbfa94d8a9c4f1b2d91ee55f6ec0ced

Download Submit
\Program Files\backup.exe

Filesize
447KB

MD5
4f9eb1aa4a7b9b4769aefcf53505cc2e

SHA1
bdd4570b729fd9d1414368e397fa16aa2066512e

SHA256
7d4e91b76caf3e8d08738e18187d60bbf7a060c547286f17e6fcbd9bcf30d6df

SHA512
8224870801619cc85764d7b9e09de3e21a64c7f0b9d1c5c2e5014de11f3e954dd809725a725e2a2133f7ea809c6e681fcbbfa94d8a9c4f1b2d91ee55f6ec0ced

Download Submit
\Users\Admin\AppData\Local\Temp\2373737469\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
\Users\Admin\AppData\Local\Temp\2373737469\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
447KB

MD5
c78b17468b681d1973e480f97dc2ca83

SHA1
d9b99fb95add720a5ca2df4df1ddbf350cde6b32

SHA256
b20a8342a18ae96e63f8def6abcd76f00f84119acf358dfbfc727b7289f2ab35

SHA512
27b1408e4bbaef6d4acdfec73cddf3e001f65e36816342cc7d483d1372c53d116fd4704553cf0e12449a25057433cbabe74769459745d67320e66dd497d49ce6

Download Submit
\Users\Admin\AppData\Local\Temp\Low\System Restore.exe

Filesize
447KB

MD5
c78b17468b681d1973e480f97dc2ca83

SHA1
d9b99fb95add720a5ca2df4df1ddbf350cde6b32

SHA256
b20a8342a18ae96e63f8def6abcd76f00f84119acf358dfbfc727b7289f2ab35

SHA512
27b1408e4bbaef6d4acdfec73cddf3e001f65e36816342cc7d483d1372c53d116fd4704553cf0e12449a25057433cbabe74769459745d67320e66dd497d49ce6

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
6f0d273cfee28c34003edc93c01d9fe2

SHA1
36fe0497ffadcc8d54f6e07b943325123716328f

SHA256
3384ff4de49d951d99ae82d2af7dae2262b30b75b83f66ca70c7142263f2d540

SHA512
8d17164bd548732aff2400da1479f1fc822ea59f51386332bcf0a277b25dbbe937a829219808df19364cad8b1bdad54c1b23f4ea8d0366a62628e54293118e8c

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
447KB

MD5
c78b17468b681d1973e480f97dc2ca83

SHA1
d9b99fb95add720a5ca2df4df1ddbf350cde6b32

SHA256
b20a8342a18ae96e63f8def6abcd76f00f84119acf358dfbfc727b7289f2ab35

SHA512
27b1408e4bbaef6d4acdfec73cddf3e001f65e36816342cc7d483d1372c53d116fd4704553cf0e12449a25057433cbabe74769459745d67320e66dd497d49ce6

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
447KB

MD5
c78b17468b681d1973e480f97dc2ca83

SHA1
d9b99fb95add720a5ca2df4df1ddbf350cde6b32

SHA256
b20a8342a18ae96e63f8def6abcd76f00f84119acf358dfbfc727b7289f2ab35

SHA512
27b1408e4bbaef6d4acdfec73cddf3e001f65e36816342cc7d483d1372c53d116fd4704553cf0e12449a25057433cbabe74769459745d67320e66dd497d49ce6

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
447KB

MD5
a2db610b48ed07faff9f087452e0f92d

SHA1
6130f4a392619ca971bfadf3b8433fbf42751796

SHA256
ce5307e6405aaca2f58349b773f353e6e7d4509b8e3d5a21d206d0312256526d

SHA512
40bdd9883df8c8aaf15c6f0ee06940f35c12ace8ecaeafb2e82dfb76c693eddf817315ef8b088498597d1edf4c779b3bda066e8373d6faef595fc280c46c0a0c

Download Submit
memory/520-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/520-181-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/924-183-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1052-277-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1060-247-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1376-122-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1376-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1404-259-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-219-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-227-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1404-285-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-321-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-242-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-304-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-241-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-298-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-284-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-195-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-296-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-185-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1404-263-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1404-261-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1492-172-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1816-201-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1816-218-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1816-167-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1816-179-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2036-314-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-199-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2088-269-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2164-307-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2172-105-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2172-98-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2172-132-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2180-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2184-274-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2184-262-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2184-286-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2184-260-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2184-280-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2268-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2268-128-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2268-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2268-130-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2516-90-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2604-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2664-24-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2664-28-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-11-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2776-47-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2776-23-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2776-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2776-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2792-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2792-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2836-325-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2924-211-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2940-290-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2968-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2968-57-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2968-93-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2980-249-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3020-230-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3020-222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads