51175b2d22e470a943f12c6acee6a60ae845b9bad36a1b4f91865f7069e28c76

Analysis

max time kernel
84s
max time network
18s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Size

450KB
MD5

7845a4f627c524d3bf3559a310fdf480
SHA1

5f8d3001b28f4df0657dbf07a1b9d624e4036c46
SHA256

51175b2d22e470a943f12c6acee6a60ae845b9bad36a1b4f91865f7069e28c76
SHA512

765b21d808c9f4999025c85eab02c0f98470a7cbbb553641f34978279aeb29612d272f0d43256da2ac1900bba1a72790b64b7aeff5493042ee029e29f33341d9
SSDEEP

768:/pQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEmRjmJO:BeT7BVwxfvLFwjRRl

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1196	backup.exe
2560	backup.exe
3052	backup.exe
2748	backup.exe
2592	backup.exe
2716	backup.exe
2456	backup.exe
2032	backup.exe
2024	backup.exe
2792	backup.exe
2008	backup.exe
2384	backup.exe
2192	backup.exe
1032	backup.exe
884	backup.exe
2936	backup.exe
2856	backup.exe
1556	backup.exe
3036	backup.exe
1308	backup.exe
1560	backup.exe
320	backup.exe
560	data.exe
2420	backup.exe
2828	backup.exe
1672	data.exe
1632	backup.exe
2056	backup.exe
2072	backup.exe
2840	backup.exe
3020	backup.exe
2624	backup.exe
2836	backup.exe
2648	backup.exe
2496	System Restore.exe
2476	backup.exe
2552	backup.exe
2776	backup.exe
2316	backup.exe
2720	backup.exe
1740	backup.exe
2788	backup.exe
1968	backup.exe
2388	backup.exe
1792	backup.exe
1780	backup.exe
2912	backup.exe
752	backup.exe
580	backup.exe
2576	backup.exe
2948	backup.exe
1728	backup.exe
948	backup.exe
1784	backup.exe
1544	backup.exe
1676	backup.exe
836	backup.exe
1048	backup.exe
1164	backup.exe
2104	backup.exe
2420	backup.exe
1928	backup.exe
1536	backup.exe
2100	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
2748	backup.exe
2592	backup.exe
2592	backup.exe
2716	backup.exe
2716	backup.exe
2592	backup.exe
2592	backup.exe
2032	backup.exe
2032	backup.exe
2024	backup.exe
2024	backup.exe
2032	backup.exe
2032	backup.exe
2008	backup.exe
2008	backup.exe
2748	backup.exe
2384	backup.exe
2384	backup.exe
2384	backup.exe
2384	backup.exe
884	backup.exe
884	backup.exe
2192	backup.exe
2192	backup.exe
884	backup.exe
884	backup.exe
884	backup.exe
884	backup.exe
2192	backup.exe
2192	backup.exe
884	backup.exe
884	backup.exe
884	backup.exe
884	backup.exe
2192	backup.exe
2192	backup.exe
884	backup.exe
884	backup.exe
2192	backup.exe
2192	backup.exe
884	backup.exe
884	backup.exe
884	backup.exe
884	backup.exe
2192	backup.exe
2192	backup.exe
884	backup.exe
884	backup.exe
2192	backup.exe
2192	backup.exe
884	backup.exe
884	backup.exe
2192	backup.exe
2192	backup.exe
884	backup.exe
884	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1596-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0036000000016c76-5.dat	upx
behavioral1/files/0x0036000000016c76-9.dat	upx
behavioral1/memory/1196-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0036000000016c76-12.dat	upx
behavioral1/files/0x0036000000016c76-7.dat	upx
behavioral1/files/0x0008000000016cf0-17.dat	upx
behavioral1/files/0x0008000000016cf0-23.dat	upx
behavioral1/files/0x0008000000016cf0-19.dat	upx
behavioral1/memory/2560-27-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2560-29-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016d1d-30.dat	upx
behavioral1/files/0x0007000000016d1d-36.dat	upx
behavioral1/files/0x0007000000016d1d-32.dat	upx
behavioral1/files/0x0008000000016d01-47.dat	upx
behavioral1/files/0x0008000000016d01-43.dat	upx
behavioral1/memory/1596-42-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000016d01-40.dat	upx
behavioral1/files/0x0008000000016d01-50.dat	upx
behavioral1/files/0x0036000000016c76-52.dat	upx
behavioral1/files/0x0008000000016d63-53.dat	upx
behavioral1/memory/1196-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016d6e-59.dat	upx
behavioral1/memory/2592-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000016d6e-65.dat	upx
behavioral1/files/0x0006000000016d97-67.dat	upx
behavioral1/files/0x0006000000016d97-69.dat	upx
behavioral1/files/0x0006000000016d97-74.dat	upx
behavioral1/files/0x0006000000016d97-78.dat	upx
behavioral1/files/0x0006000000016da6-80.dat	upx
behavioral1/files/0x0006000000016da6-84.dat	upx
behavioral1/files/0x0006000000016da6-88.dat	upx
behavioral1/memory/1596-83-0x0000000000350000-0x000000000036C000-memory.dmp	upx
behavioral1/memory/3052-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016ff2-98.dat	upx
behavioral1/memory/2716-95-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2456-94-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016ff2-96.dat	upx
behavioral1/files/0x0006000000016ff2-102.dat	upx
behavioral1/memory/2748-106-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2032-108-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000016ff2-109.dat	upx
behavioral1/files/0x0007000000016e61-111.dat	upx
behavioral1/files/0x0007000000016e61-113.dat	upx
behavioral1/files/0x0007000000016e61-117.dat	upx
behavioral1/files/0x0007000000016e61-121.dat	upx
behavioral1/files/0x000600000001710e-123.dat	upx
behavioral1/memory/2592-124-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000600000001710e-127.dat	upx
behavioral1/files/0x000600000001710e-132.dat	upx
behavioral1/memory/2024-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2792-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000017426-138.dat	upx
behavioral1/files/0x0005000000017426-144.dat	upx
behavioral1/files/0x0005000000017426-140.dat	upx
behavioral1/memory/2032-148-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0005000000017426-151.dat	upx
behavioral1/files/0x0007000000017240-155.dat	upx
behavioral1/files/0x0007000000017240-153.dat	upx
behavioral1/files/0x0007000000017240-160.dat	upx
behavioral1/files/0x0008000000016d63-165.dat	upx
behavioral1/files/0x0007000000017240-170.dat	upx
behavioral1/files/0x0008000000016d63-169.dat	upx
behavioral1/files/0x0004000000018689-178.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
1196	backup.exe
2560	backup.exe
3052	backup.exe
2748	backup.exe
2592	backup.exe
2716	backup.exe
2456	backup.exe
2032	backup.exe
2024	backup.exe
2792	backup.exe
2008	backup.exe
2384	backup.exe
1032	backup.exe
2192	backup.exe
884	backup.exe
2936	backup.exe
1556	backup.exe
2856	backup.exe
3036	backup.exe
1308	backup.exe
1560	backup.exe
320	backup.exe
560	data.exe
2420	backup.exe
2828	backup.exe
1672	data.exe
1632	backup.exe
2056	backup.exe
2072	backup.exe
2840	backup.exe
3020	backup.exe
2624	backup.exe
2836	backup.exe
2648	backup.exe
2496	System Restore.exe
2476	backup.exe
2552	backup.exe
2776	backup.exe
2316	backup.exe
2720	backup.exe
1740	backup.exe
1968	backup.exe
2788	backup.exe
2388	backup.exe
1792	backup.exe
1780	backup.exe
2912	backup.exe
752	backup.exe
580	backup.exe
2576	backup.exe
2948	backup.exe
1728	backup.exe
948	backup.exe
1544	backup.exe
1676	backup.exe
1784	backup.exe
836	backup.exe
1164	backup.exe
1048	backup.exe
2420	backup.exe
2104	backup.exe
1928	backup.exe
1536	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1196	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	28
PID 1596 wrote to memory of 1196	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	28
PID 1596 wrote to memory of 1196	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	28
PID 1596 wrote to memory of 1196	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	28
PID 1596 wrote to memory of 2560	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	29
PID 1596 wrote to memory of 2560	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	29
PID 1596 wrote to memory of 2560	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	29
PID 1596 wrote to memory of 2560	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	29
PID 1596 wrote to memory of 3052	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	30
PID 1596 wrote to memory of 3052	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	30
PID 1596 wrote to memory of 3052	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	30
PID 1596 wrote to memory of 3052	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	30
PID 1596 wrote to memory of 2748	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	31
PID 1596 wrote to memory of 2748	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	31
PID 1596 wrote to memory of 2748	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	31
PID 1596 wrote to memory of 2748	1596	NEAS.7845a4f627c524d3bf3559a310fdf480.exe	31
PID 1196 wrote to memory of 2592	1196	backup.exe	33
PID 1196 wrote to memory of 2592	1196	backup.exe	33
PID 1196 wrote to memory of 2592	1196	backup.exe	33
PID 1196 wrote to memory of 2592	1196	backup.exe	33
PID 2592 wrote to memory of 2716	2592	backup.exe	34
PID 2592 wrote to memory of 2716	2592	backup.exe	34
PID 2592 wrote to memory of 2716	2592	backup.exe	34
PID 2592 wrote to memory of 2716	2592	backup.exe	34
PID 2716 wrote to memory of 2456	2716	backup.exe	35
PID 2716 wrote to memory of 2456	2716	backup.exe	35
PID 2716 wrote to memory of 2456	2716	backup.exe	35
PID 2716 wrote to memory of 2456	2716	backup.exe	35
PID 2592 wrote to memory of 2032	2592	backup.exe	36
PID 2592 wrote to memory of 2032	2592	backup.exe	36
PID 2592 wrote to memory of 2032	2592	backup.exe	36
PID 2592 wrote to memory of 2032	2592	backup.exe	36
PID 2032 wrote to memory of 2024	2032	backup.exe	37
PID 2032 wrote to memory of 2024	2032	backup.exe	37
PID 2032 wrote to memory of 2024	2032	backup.exe	37
PID 2032 wrote to memory of 2024	2032	backup.exe	37
PID 2024 wrote to memory of 2792	2024	backup.exe	38
PID 2024 wrote to memory of 2792	2024	backup.exe	38
PID 2024 wrote to memory of 2792	2024	backup.exe	38
PID 2024 wrote to memory of 2792	2024	backup.exe	38
PID 2032 wrote to memory of 2008	2032	backup.exe	39
PID 2032 wrote to memory of 2008	2032	backup.exe	39
PID 2032 wrote to memory of 2008	2032	backup.exe	39
PID 2032 wrote to memory of 2008	2032	backup.exe	39
PID 2008 wrote to memory of 2384	2008	backup.exe	40
PID 2008 wrote to memory of 2384	2008	backup.exe	40
PID 2008 wrote to memory of 2384	2008	backup.exe	40
PID 2008 wrote to memory of 2384	2008	backup.exe	40
PID 2748 wrote to memory of 2192	2748	backup.exe	32
PID 2748 wrote to memory of 2192	2748	backup.exe	32
PID 2748 wrote to memory of 2192	2748	backup.exe	32
PID 2748 wrote to memory of 2192	2748	backup.exe	32
PID 2384 wrote to memory of 1032	2384	backup.exe	41
PID 2384 wrote to memory of 1032	2384	backup.exe	41
PID 2384 wrote to memory of 1032	2384	backup.exe	41
PID 2384 wrote to memory of 1032	2384	backup.exe	41
PID 2384 wrote to memory of 884	2384	backup.exe	42
PID 2384 wrote to memory of 884	2384	backup.exe	42
PID 2384 wrote to memory of 884	2384	backup.exe	42
PID 2384 wrote to memory of 884	2384	backup.exe	42
PID 884 wrote to memory of 2936	884	backup.exe	43
PID 884 wrote to memory of 2936	884	backup.exe	43
PID 884 wrote to memory of 2936	884	backup.exe	43
PID 884 wrote to memory of 2936	884	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.7845a4f627c524d3bf3559a310fdf480.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.7845a4f627c524d3bf3559a310fdf480.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7845a4f627c524d3bf3559a310fdf480.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596
- C:\Users\Admin\AppData\Local\Temp\1938435458\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1938435458\backup.exe C:\Users\Admin\AppData\Local\Temp\1938435458\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1196
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2592
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2456
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2024
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2008
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2384
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3036
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:320
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3020
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2552
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2776
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1784
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1164
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        System policy modification
        
        PID:2436
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2340
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        System policy modification
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:3044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:1372
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:2292
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Drops file in Program Files directory
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:936
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2528
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:2820
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:268
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1524
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2468
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1980
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:2020
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2800
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1704
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1252
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:2200
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        
        PID:2968
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2364
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:1308
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2060
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:2516
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2704
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        System policy modification
        
        PID:2564
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1328
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        System policy modification
        
        PID:1504
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
      - C:\Program Files\DVD Maker\it-IT\update.exe
        
        "C:\Program Files\DVD Maker\it-IT\update.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:2616
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:2144
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:1692
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:2460
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2960
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:1252
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1588
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:2600
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2420
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        
        PID:2100
      - C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:2124
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2620
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1036
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        System policy modification
        
        PID:2464
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:748
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1608
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        System policy modification
        
        PID:1340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2480
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2092
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1716
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:2708
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:2812
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1976
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1720
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:2488
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1576
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe
  C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_it-it_93901c3a4b3202f3\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19547d296181e2f1\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:560
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12f946a076ab117d\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_47de2d731255733e\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6adc975af9262621\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_it-it_08f698280d505cad\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_it-it_12c97a69eb35cbde\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34a845bab576630e\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_it-it_8eae41d26346aa47\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_it-it_c9ec6364712ba864\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca437073aa0936b0\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8268e948d76a9569\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ab14f08ed574aabd\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:752
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c8041f29b5424940\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0a853c6496d133da\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0a853c6496d133da\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0a853c6496d133da\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:948
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8499fd10d4591903\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8499fd10d4591903\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8499fd10d4591903\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ad460456d2632e57\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ad460456d2632e57\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ad460456d2632e57\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cd6e5679162fb2b4\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cd6e5679162fb2b4\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cd6e5679162fb2b4\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bdaee6cfbc3c4e3a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bdaee6cfbc3c4e3a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bdaee6cfbc3c4e3a\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_bfdffa97b92ad1d4\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_bfdffa97b92ad1d4\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_bfdffa97b92ad1d4\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a3b36275e4eccbd8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a3b36275e4eccbd8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a3b36275e4eccbd8\
      4⤵
      PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b473cc53b2be5f10\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b473cc53b2be5f10\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b473cc53b2be5f10\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8e769c50632a79b\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8e769c50632a79b\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e8e769c50632a79b\
      4⤵
      PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_10bf26ce3fd8b82f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_10bf26ce3fd8b82f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_10bf26ce3fd8b82f\
      4⤵
      Modifies visibility of file extensions in Explorer
      System policy modification
      PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_342593b4ce8f30ef\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_342593b4ce8f30ef\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_342593b4ce8f30ef\
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_52c3f443315a1ce2\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_52c3f443315a1ce2\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_52c3f443315a1ce2\
      4⤵
      PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a5e4763de1db4f72\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a5e4763de1db4f72\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a5e4763de1db4f72\
      4⤵
      PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b6a4e01baface2aa\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b6a4e01baface2aa\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b6a4e01baface2aa\
      4⤵
      PID:540
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_eb187d8d03212b35\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_eb187d8d03212b35\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_it-it_eb187d8d03212b35\
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b5799ff47b17c78\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b5799ff47b17c78\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b5799ff47b17c78\
      4⤵
      PID:2644
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000001\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System policy modification
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000002\
    3⤵
    - System policy modification
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000003\
    3⤵
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000004\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000005\
    3⤵
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\update.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\
    3⤵
    PID:852
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:836
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\update.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System policy modification
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
450KB

MD5
e17122fd2815898f3075677dbefdc1ad

SHA1
0cf895c5b232f3a6f688a3ad6ea8812273fea595

SHA256
2f7a923c89aea5eb060d3b419c9f47c20a6156e94e396fb1ad70bcf392714cb4

SHA512
2615384d9571ed8e3f5dd2b8f1b12efa43b4d3cbe3a29b659946ccfd72db759f15d8c6ae06fcf2607914e2d3d98eb2540786bbe71c40d472816e66f5355929e6

Download Submit
C:\PerfLogs\backup.exe

Filesize
450KB

MD5
a4af221040400501b60510fdcf40a600

SHA1
7928974fa6a86c9f7cdd45632a9f14c7271948c3

SHA256
dcbeb412bf58b4ae286612f966371f8ada644052ae397aac0aba2031e3a00288

SHA512
b11537f2b958879769bcb99929148e53dac520bb69770b1411bff83332b645b54d17c7d51337a0b478618da8ee5dd5701c341f0019339afa9375a11bfc083dfc

Download Submit
C:\PerfLogs\backup.exe

Filesize
450KB

MD5
a4af221040400501b60510fdcf40a600

SHA1
7928974fa6a86c9f7cdd45632a9f14c7271948c3

SHA256
dcbeb412bf58b4ae286612f966371f8ada644052ae397aac0aba2031e3a00288

SHA512
b11537f2b958879769bcb99929148e53dac520bb69770b1411bff83332b645b54d17c7d51337a0b478618da8ee5dd5701c341f0019339afa9375a11bfc083dfc

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
450KB

MD5
cf4b2a2e093d327348f2d8f8595b8972

SHA1
b51d8234be7f1db69885d294f69417f3a81d5c7c

SHA256
9901de1a41a952fa9b9eef7137931dc2d4ecedcf34d82d5549b3ce5b9c79d1db

SHA512
368d3400e31d6f9c647f8751879bc78ce69fabc90f9ab51df0780cff9d2b86c09885bd89105e8076b04dce90f7337302f9d43a7b4ee263055b942064a8f24db7

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
450KB

MD5
158e1a205f766a55998502defe282da4

SHA1
4faaff234f1b14441a9a4a48592e9cd81619b65b

SHA256
ac5040d4761814418a23f34d21f73356ef55224dce596d5ec6ab72232fc71c0e

SHA512
1f7115f5160956f8331621addb80883bb82e6182f9fafd741b5c57e1b2bb5b0452e17405c6cf237f1266b58f30a07851c8f5ae84855661f348cbf8249f9b9057

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
450KB

MD5
158e1a205f766a55998502defe282da4

SHA1
4faaff234f1b14441a9a4a48592e9cd81619b65b

SHA256
ac5040d4761814418a23f34d21f73356ef55224dce596d5ec6ab72232fc71c0e

SHA512
1f7115f5160956f8331621addb80883bb82e6182f9fafd741b5c57e1b2bb5b0452e17405c6cf237f1266b58f30a07851c8f5ae84855661f348cbf8249f9b9057

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
450KB

MD5
d60eda4b50ac3aec46d61806463c393c

SHA1
38074f51657fde52b06749575c9bb9aaed3e99a9

SHA256
42cf1fe58df6fbf91b8959ae725feecf4595f70476b13ce162c6f8015268de1f

SHA512
939c49c8180856fb7a22c7ae6f60f8725fc5df688c72409fa735aa1552fff11b54a7bd4f797dbae22d76d66a92c0d6c6457c998f1795a0b96b61dc539228fb5c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
450KB

MD5
8568dbc956f103c5a6398a04c2a9fb08

SHA1
9ff8ee8e773b4a6a4326bc14b87e34014239686e

SHA256
3c055756475358ebad639a6b3d52d3f747ebee1f7dcaee15db8899082c4429d4

SHA512
ffd50cfdf5d42a5ead4c0c57e0a962749d8b3628c998f2b565b58932c4c398c6f371068b1998502e08fa25e55a837ebcaa7a738c6b3e9f9cb7216d28034142b5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
450KB

MD5
8568dbc956f103c5a6398a04c2a9fb08

SHA1
9ff8ee8e773b4a6a4326bc14b87e34014239686e

SHA256
3c055756475358ebad639a6b3d52d3f747ebee1f7dcaee15db8899082c4429d4

SHA512
ffd50cfdf5d42a5ead4c0c57e0a962749d8b3628c998f2b565b58932c4c398c6f371068b1998502e08fa25e55a837ebcaa7a738c6b3e9f9cb7216d28034142b5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
450KB

MD5
d60eda4b50ac3aec46d61806463c393c

SHA1
38074f51657fde52b06749575c9bb9aaed3e99a9

SHA256
42cf1fe58df6fbf91b8959ae725feecf4595f70476b13ce162c6f8015268de1f

SHA512
939c49c8180856fb7a22c7ae6f60f8725fc5df688c72409fa735aa1552fff11b54a7bd4f797dbae22d76d66a92c0d6c6457c998f1795a0b96b61dc539228fb5c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
450KB

MD5
d60eda4b50ac3aec46d61806463c393c

SHA1
38074f51657fde52b06749575c9bb9aaed3e99a9

SHA256
42cf1fe58df6fbf91b8959ae725feecf4595f70476b13ce162c6f8015268de1f

SHA512
939c49c8180856fb7a22c7ae6f60f8725fc5df688c72409fa735aa1552fff11b54a7bd4f797dbae22d76d66a92c0d6c6457c998f1795a0b96b61dc539228fb5c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
450KB

MD5
c7a9671e1756955e899b34b116c89370

SHA1
e097215d4fceb539c0fc9b6ff47f3bfcc1adeb77

SHA256
deef897c3095ae6870f5bfb355e00d0a43fddf266f78392c5281897f29478bbf

SHA512
2ae1ea65ccf4a4c52dae9642613c3300cdacca9e3530579328635236a1fd83eeae82a83c990b3ccbc5ee8583179904ad87568481bc30df2938792db5c8b3edc0

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
450KB

MD5
c7a9671e1756955e899b34b116c89370

SHA1
e097215d4fceb539c0fc9b6ff47f3bfcc1adeb77

SHA256
deef897c3095ae6870f5bfb355e00d0a43fddf266f78392c5281897f29478bbf

SHA512
2ae1ea65ccf4a4c52dae9642613c3300cdacca9e3530579328635236a1fd83eeae82a83c990b3ccbc5ee8583179904ad87568481bc30df2938792db5c8b3edc0

Download Submit
C:\Program Files\backup.exe

Filesize
450KB

MD5
bf05f94578eb0d8e4941bb445c2bc7b9

SHA1
c68192dfdb2d46eba213bb8a34e382dce629fe4d

SHA256
332e847a0a5dec91414c10fba648ad2af91aff05417817e52afba65795916706

SHA512
af1847b26e7c5e1a76a2c87b0a6534087ca2f8ca0b13cf3404653be79ad0ccd9b6d6952f7946704156ce5323725980ee4d149d4f75ff284cbea9b29d697c2e40

Download Submit
C:\Program Files\backup.exe

Filesize
450KB

MD5
bf05f94578eb0d8e4941bb445c2bc7b9

SHA1
c68192dfdb2d46eba213bb8a34e382dce629fe4d

SHA256
332e847a0a5dec91414c10fba648ad2af91aff05417817e52afba65795916706

SHA512
af1847b26e7c5e1a76a2c87b0a6534087ca2f8ca0b13cf3404653be79ad0ccd9b6d6952f7946704156ce5323725980ee4d149d4f75ff284cbea9b29d697c2e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\1938435458\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1938435458\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1938435458\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
450KB

MD5
7a95fa57afb6d02e41bd4a889e37561e

SHA1
a6f06a770a3f7e6ff8b64c5cffebbac9a6caf5a2

SHA256
bb907db82023332d4e2a2374fdb90f138d028c48b77d9f4702bf74ff8755c08c

SHA512
736eef4ef67fab273e52433b42a7547f9e9c905bb091231036dcbd15d8789d885648d70db0c57cf7318665d5a16b1576b5a573d2d24c119b73250651756b8cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
450KB

MD5
7a95fa57afb6d02e41bd4a889e37561e

SHA1
a6f06a770a3f7e6ff8b64c5cffebbac9a6caf5a2

SHA256
bb907db82023332d4e2a2374fdb90f138d028c48b77d9f4702bf74ff8755c08c

SHA512
736eef4ef67fab273e52433b42a7547f9e9c905bb091231036dcbd15d8789d885648d70db0c57cf7318665d5a16b1576b5a573d2d24c119b73250651756b8cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
450KB

MD5
aa23f796920807bb1de9cbabbbdcb392

SHA1
be026b85a4afc62d0829bf01fb8641b725ec483d

SHA256
abc4b556f871a382efa09a99f2146e1f2c1cec077815263fb6ec639c16ec5dd8

SHA512
91fc8cdcd69698fe3f01ed8133d2f01d7c2253fc65a75c75883617e8a88b9508b97ec4bcc8523a6e6e39354d3d78541fb3ab55a31486f025bef5d237db10c9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
450KB

MD5
aa23f796920807bb1de9cbabbbdcb392

SHA1
be026b85a4afc62d0829bf01fb8641b725ec483d

SHA256
abc4b556f871a382efa09a99f2146e1f2c1cec077815263fb6ec639c16ec5dd8

SHA512
91fc8cdcd69698fe3f01ed8133d2f01d7c2253fc65a75c75883617e8a88b9508b97ec4bcc8523a6e6e39354d3d78541fb3ab55a31486f025bef5d237db10c9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe

Filesize
450KB

MD5
df71c9535908234788fb55f1daead7ca

SHA1
28b44c204801ab4c31b0a0d5a65295fc2f9a95b5

SHA256
1d8e0111d92f9162ba8c9ee7309a265e10c01184db33c07487a72f3e4a948d85

SHA512
0237761cdb08d1e69bf7df991b979f675c4f1f807d4a6e19a8cad9a9f2d9d9895d1ccc0c551b3a3193a91966d8328ae6dba084697e01ae52c14079b052879268

Download Submit
C:\backup.exe

Filesize
450KB

MD5
ee1593d7fd6a2ff07c14de61885c0391

SHA1
212c6e1db8ec4cedc6ffecff4e517b8989512722

SHA256
4034b1881372a5a3f85ff9cfee6c0b7f695bb9ffa2f984c0b0fe32e3b2af4609

SHA512
8e0695016d236977146d7aa8c99b04d9cd9baeb2ff6ec8d56be1e5bcb7f3b6498d77786ee89e529b8c0c62d75cd7726cbb341a43f1227bfccb094e4c7637c9aa

Download Submit
C:\backup.exe

Filesize
450KB

MD5
ee1593d7fd6a2ff07c14de61885c0391

SHA1
212c6e1db8ec4cedc6ffecff4e517b8989512722

SHA256
4034b1881372a5a3f85ff9cfee6c0b7f695bb9ffa2f984c0b0fe32e3b2af4609

SHA512
8e0695016d236977146d7aa8c99b04d9cd9baeb2ff6ec8d56be1e5bcb7f3b6498d77786ee89e529b8c0c62d75cd7726cbb341a43f1227bfccb094e4c7637c9aa

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
450KB

MD5
e17122fd2815898f3075677dbefdc1ad

SHA1
0cf895c5b232f3a6f688a3ad6ea8812273fea595

SHA256
2f7a923c89aea5eb060d3b419c9f47c20a6156e94e396fb1ad70bcf392714cb4

SHA512
2615384d9571ed8e3f5dd2b8f1b12efa43b4d3cbe3a29b659946ccfd72db759f15d8c6ae06fcf2607914e2d3d98eb2540786bbe71c40d472816e66f5355929e6

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
450KB

MD5
e17122fd2815898f3075677dbefdc1ad

SHA1
0cf895c5b232f3a6f688a3ad6ea8812273fea595

SHA256
2f7a923c89aea5eb060d3b419c9f47c20a6156e94e396fb1ad70bcf392714cb4

SHA512
2615384d9571ed8e3f5dd2b8f1b12efa43b4d3cbe3a29b659946ccfd72db759f15d8c6ae06fcf2607914e2d3d98eb2540786bbe71c40d472816e66f5355929e6

Download Submit
\PerfLogs\backup.exe

Filesize
450KB

MD5
a4af221040400501b60510fdcf40a600

SHA1
7928974fa6a86c9f7cdd45632a9f14c7271948c3

SHA256
dcbeb412bf58b4ae286612f966371f8ada644052ae397aac0aba2031e3a00288

SHA512
b11537f2b958879769bcb99929148e53dac520bb69770b1411bff83332b645b54d17c7d51337a0b478618da8ee5dd5701c341f0019339afa9375a11bfc083dfc

Download Submit
\PerfLogs\backup.exe

Filesize
450KB

MD5
a4af221040400501b60510fdcf40a600

SHA1
7928974fa6a86c9f7cdd45632a9f14c7271948c3

SHA256
dcbeb412bf58b4ae286612f966371f8ada644052ae397aac0aba2031e3a00288

SHA512
b11537f2b958879769bcb99929148e53dac520bb69770b1411bff83332b645b54d17c7d51337a0b478618da8ee5dd5701c341f0019339afa9375a11bfc083dfc

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
450KB

MD5
cf4b2a2e093d327348f2d8f8595b8972

SHA1
b51d8234be7f1db69885d294f69417f3a81d5c7c

SHA256
9901de1a41a952fa9b9eef7137931dc2d4ecedcf34d82d5549b3ce5b9c79d1db

SHA512
368d3400e31d6f9c647f8751879bc78ce69fabc90f9ab51df0780cff9d2b86c09885bd89105e8076b04dce90f7337302f9d43a7b4ee263055b942064a8f24db7

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
450KB

MD5
cf4b2a2e093d327348f2d8f8595b8972

SHA1
b51d8234be7f1db69885d294f69417f3a81d5c7c

SHA256
9901de1a41a952fa9b9eef7137931dc2d4ecedcf34d82d5549b3ce5b9c79d1db

SHA512
368d3400e31d6f9c647f8751879bc78ce69fabc90f9ab51df0780cff9d2b86c09885bd89105e8076b04dce90f7337302f9d43a7b4ee263055b942064a8f24db7

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
450KB

MD5
158e1a205f766a55998502defe282da4

SHA1
4faaff234f1b14441a9a4a48592e9cd81619b65b

SHA256
ac5040d4761814418a23f34d21f73356ef55224dce596d5ec6ab72232fc71c0e

SHA512
1f7115f5160956f8331621addb80883bb82e6182f9fafd741b5c57e1b2bb5b0452e17405c6cf237f1266b58f30a07851c8f5ae84855661f348cbf8249f9b9057

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
450KB

MD5
158e1a205f766a55998502defe282da4

SHA1
4faaff234f1b14441a9a4a48592e9cd81619b65b

SHA256
ac5040d4761814418a23f34d21f73356ef55224dce596d5ec6ab72232fc71c0e

SHA512
1f7115f5160956f8331621addb80883bb82e6182f9fafd741b5c57e1b2bb5b0452e17405c6cf237f1266b58f30a07851c8f5ae84855661f348cbf8249f9b9057

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
450KB

MD5
d60eda4b50ac3aec46d61806463c393c

SHA1
38074f51657fde52b06749575c9bb9aaed3e99a9

SHA256
42cf1fe58df6fbf91b8959ae725feecf4595f70476b13ce162c6f8015268de1f

SHA512
939c49c8180856fb7a22c7ae6f60f8725fc5df688c72409fa735aa1552fff11b54a7bd4f797dbae22d76d66a92c0d6c6457c998f1795a0b96b61dc539228fb5c

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
450KB

MD5
d60eda4b50ac3aec46d61806463c393c

SHA1
38074f51657fde52b06749575c9bb9aaed3e99a9

SHA256
42cf1fe58df6fbf91b8959ae725feecf4595f70476b13ce162c6f8015268de1f

SHA512
939c49c8180856fb7a22c7ae6f60f8725fc5df688c72409fa735aa1552fff11b54a7bd4f797dbae22d76d66a92c0d6c6457c998f1795a0b96b61dc539228fb5c

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
450KB

MD5
8568dbc956f103c5a6398a04c2a9fb08

SHA1
9ff8ee8e773b4a6a4326bc14b87e34014239686e

SHA256
3c055756475358ebad639a6b3d52d3f747ebee1f7dcaee15db8899082c4429d4

SHA512
ffd50cfdf5d42a5ead4c0c57e0a962749d8b3628c998f2b565b58932c4c398c6f371068b1998502e08fa25e55a837ebcaa7a738c6b3e9f9cb7216d28034142b5

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
450KB

MD5
8568dbc956f103c5a6398a04c2a9fb08

SHA1
9ff8ee8e773b4a6a4326bc14b87e34014239686e

SHA256
3c055756475358ebad639a6b3d52d3f747ebee1f7dcaee15db8899082c4429d4

SHA512
ffd50cfdf5d42a5ead4c0c57e0a962749d8b3628c998f2b565b58932c4c398c6f371068b1998502e08fa25e55a837ebcaa7a738c6b3e9f9cb7216d28034142b5

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
450KB

MD5
d60eda4b50ac3aec46d61806463c393c

SHA1
38074f51657fde52b06749575c9bb9aaed3e99a9

SHA256
42cf1fe58df6fbf91b8959ae725feecf4595f70476b13ce162c6f8015268de1f

SHA512
939c49c8180856fb7a22c7ae6f60f8725fc5df688c72409fa735aa1552fff11b54a7bd4f797dbae22d76d66a92c0d6c6457c998f1795a0b96b61dc539228fb5c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
450KB

MD5
d60eda4b50ac3aec46d61806463c393c

SHA1
38074f51657fde52b06749575c9bb9aaed3e99a9

SHA256
42cf1fe58df6fbf91b8959ae725feecf4595f70476b13ce162c6f8015268de1f

SHA512
939c49c8180856fb7a22c7ae6f60f8725fc5df688c72409fa735aa1552fff11b54a7bd4f797dbae22d76d66a92c0d6c6457c998f1795a0b96b61dc539228fb5c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
450KB

MD5
1e88ff6becccb09decae082a081adeea

SHA1
2ec08be2c8aac659feeca1bbb4057704cf8e79a7

SHA256
0f4e6adcd9cc57c96de3b02aa75ed9edda7593ebc42908cda189d9aa364034fb

SHA512
3739926be86411863407c15ae681d89fdfdbc03f06bef1f4a4fe20bd546f4e1c637bff3d585f0da25094f4944dfd85c3d110feaaaeabca1dc0715f84a07263d2

Download Submit
\Program Files\Common Files\backup.exe

Filesize
450KB

MD5
c7a9671e1756955e899b34b116c89370

SHA1
e097215d4fceb539c0fc9b6ff47f3bfcc1adeb77

SHA256
deef897c3095ae6870f5bfb355e00d0a43fddf266f78392c5281897f29478bbf

SHA512
2ae1ea65ccf4a4c52dae9642613c3300cdacca9e3530579328635236a1fd83eeae82a83c990b3ccbc5ee8583179904ad87568481bc30df2938792db5c8b3edc0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
450KB

MD5
c7a9671e1756955e899b34b116c89370

SHA1
e097215d4fceb539c0fc9b6ff47f3bfcc1adeb77

SHA256
deef897c3095ae6870f5bfb355e00d0a43fddf266f78392c5281897f29478bbf

SHA512
2ae1ea65ccf4a4c52dae9642613c3300cdacca9e3530579328635236a1fd83eeae82a83c990b3ccbc5ee8583179904ad87568481bc30df2938792db5c8b3edc0

Download Submit
\Program Files\backup.exe

Filesize
450KB

MD5
bf05f94578eb0d8e4941bb445c2bc7b9

SHA1
c68192dfdb2d46eba213bb8a34e382dce629fe4d

SHA256
332e847a0a5dec91414c10fba648ad2af91aff05417817e52afba65795916706

SHA512
af1847b26e7c5e1a76a2c87b0a6534087ca2f8ca0b13cf3404653be79ad0ccd9b6d6952f7946704156ce5323725980ee4d149d4f75ff284cbea9b29d697c2e40

Download Submit
\Program Files\backup.exe

Filesize
450KB

MD5
bf05f94578eb0d8e4941bb445c2bc7b9

SHA1
c68192dfdb2d46eba213bb8a34e382dce629fe4d

SHA256
332e847a0a5dec91414c10fba648ad2af91aff05417817e52afba65795916706

SHA512
af1847b26e7c5e1a76a2c87b0a6534087ca2f8ca0b13cf3404653be79ad0ccd9b6d6952f7946704156ce5323725980ee4d149d4f75ff284cbea9b29d697c2e40

Download Submit
\Users\Admin\AppData\Local\Temp\1938435458\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
\Users\Admin\AppData\Local\Temp\1938435458\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
450KB

MD5
e70e70b904aaf45bc7b327acccb4241e

SHA1
dfa6b2693386352b3c541abdbb8f21de9a7724b8

SHA256
5f5e996864b4e4650fb9256b8c606f1f9cc2a131a7baba569f1a24137afa71ae

SHA512
274528537d1bf1dac918bd82094a32f4a395c83611f33b26b2e56c07584ceb85ab4bc3357c97b480a79387d7c50dd3ab395853120f4ff485fc81549f0d96c4af

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
450KB

MD5
7a95fa57afb6d02e41bd4a889e37561e

SHA1
a6f06a770a3f7e6ff8b64c5cffebbac9a6caf5a2

SHA256
bb907db82023332d4e2a2374fdb90f138d028c48b77d9f4702bf74ff8755c08c

SHA512
736eef4ef67fab273e52433b42a7547f9e9c905bb091231036dcbd15d8789d885648d70db0c57cf7318665d5a16b1576b5a573d2d24c119b73250651756b8cca

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
450KB

MD5
7a95fa57afb6d02e41bd4a889e37561e

SHA1
a6f06a770a3f7e6ff8b64c5cffebbac9a6caf5a2

SHA256
bb907db82023332d4e2a2374fdb90f138d028c48b77d9f4702bf74ff8755c08c

SHA512
736eef4ef67fab273e52433b42a7547f9e9c905bb091231036dcbd15d8789d885648d70db0c57cf7318665d5a16b1576b5a573d2d24c119b73250651756b8cca

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
450KB

MD5
aa23f796920807bb1de9cbabbbdcb392

SHA1
be026b85a4afc62d0829bf01fb8641b725ec483d

SHA256
abc4b556f871a382efa09a99f2146e1f2c1cec077815263fb6ec639c16ec5dd8

SHA512
91fc8cdcd69698fe3f01ed8133d2f01d7c2253fc65a75c75883617e8a88b9508b97ec4bcc8523a6e6e39354d3d78541fb3ab55a31486f025bef5d237db10c9f7

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\backup.exe

Filesize
450KB

MD5
aa23f796920807bb1de9cbabbbdcb392

SHA1
be026b85a4afc62d0829bf01fb8641b725ec483d

SHA256
abc4b556f871a382efa09a99f2146e1f2c1cec077815263fb6ec639c16ec5dd8

SHA512
91fc8cdcd69698fe3f01ed8133d2f01d7c2253fc65a75c75883617e8a88b9508b97ec4bcc8523a6e6e39354d3d78541fb3ab55a31486f025bef5d237db10c9f7

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe

Filesize
450KB

MD5
df71c9535908234788fb55f1daead7ca

SHA1
28b44c204801ab4c31b0a0d5a65295fc2f9a95b5

SHA256
1d8e0111d92f9162ba8c9ee7309a265e10c01184db33c07487a72f3e4a948d85

SHA512
0237761cdb08d1e69bf7df991b979f675c4f1f807d4a6e19a8cad9a9f2d9d9895d1ccc0c551b3a3193a91966d8328ae6dba084697e01ae52c14079b052879268

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000000\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_8de3a272c60071d8\backup.exe

Filesize
450KB

MD5
df71c9535908234788fb55f1daead7ca

SHA1
28b44c204801ab4c31b0a0d5a65295fc2f9a95b5

SHA256
1d8e0111d92f9162ba8c9ee7309a265e10c01184db33c07487a72f3e4a948d85

SHA512
0237761cdb08d1e69bf7df991b979f675c4f1f807d4a6e19a8cad9a9f2d9d9895d1ccc0c551b3a3193a91966d8328ae6dba084697e01ae52c14079b052879268

Download Submit
memory/320-292-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/884-235-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/884-272-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/884-265-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1032-186-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1196-62-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1196-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1196-118-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1196-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-277-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-268-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1556-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1560-278-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1596-42-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1596-104-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1596-83-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1596-24-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1596-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1596-81-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1596-11-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2008-159-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2008-221-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2008-161-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2008-212-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2008-210-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2024-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-145-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2032-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-108-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2192-236-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2192-262-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2192-267-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2384-225-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2384-179-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2384-195-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2384-180-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2384-251-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2384-247-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2384-245-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2384-244-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2384-193-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2456-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-29-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-27-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2592-147-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2592-131-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2592-103-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2592-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2592-73-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2592-124-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2592-146-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2592-125-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2592-75-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2716-90-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2716-95-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2748-106-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2748-234-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/2792-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2856-253-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2936-224-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2936-214-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3036-264-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3052-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3052-209-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads