f00c59099deab8b8780720092d53c151a6554cf07fa3da7a1f6c0c1e036c3030

Analysis

max time kernel
45s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
Size

447KB
MD5

409fd8f8f8b605f9ce9725d145576b90
SHA1

08762b6d83978340134d8805bc98b48d648cc4b9
SHA256

f00c59099deab8b8780720092d53c151a6554cf07fa3da7a1f6c0c1e036c3030
SHA512

518ce17be3feea618cf8eccf7831153417f9bbf8393ce6fe9feb6b4d5494ed48866188ad93bb595e077c7d549da9b430590dddd2b2767ecd9b1d59859869790e
SSDEEP

768:CpQNwC3BESe4Vqth+0V5vKPyLylze70wi3BEmj:CeT7BVwxfvLFwjRj

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 55 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 62 IoCs

pid	Process
2156	backup.exe
2800	backup.exe
2696	backup.exe
2900	backup.exe
2756	backup.exe
2648	backup.exe
2424	update.exe
1176	System Restore.exe
2692	backup.exe
1660	backup.exe
1064	backup.exe
2264	backup.exe
1028	data.exe
1984	backup.exe
2380	backup.exe
2324	backup.exe
2260	backup.exe
1824	backup.exe
1516	backup.exe
1800	backup.exe
2520	backup.exe
836	backup.exe
1716	update.exe
884	backup.exe
1652	backup.exe
2040	backup.exe
1612	backup.exe
2720	backup.exe
2808	backup.exe
2980	backup.exe
2900	backup.exe
2760	backup.exe
2232	backup.exe
2756	backup.exe
2648	backup.exe
2956	backup.exe
1944	update.exe
808	backup.exe
2508	backup.exe
2256	backup.exe
2820	backup.exe
740	backup.exe
1072	backup.exe
2344	backup.exe
1960	backup.exe
636	backup.exe
2372	backup.exe
944	backup.exe
1340	backup.exe
752	backup.exe
940	backup.exe
3052	backup.exe
1768	backup.exe
1728	backup.exe
2332	backup.exe
2864	backup.exe
2904	backup.exe
2388	backup.exe
2092	backup.exe
2668	System Restore.exe
2940	backup.exe
2968	update.exe

Loads dropped DLL 64 IoCs

pid	Process
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
2424	update.exe
2424	update.exe
2424	update.exe
1176	System Restore.exe
1176	System Restore.exe
2692	backup.exe
2692	backup.exe
1176	System Restore.exe
1176	System Restore.exe
1064	backup.exe
1064	backup.exe
2264	backup.exe
2264	backup.exe
1064	backup.exe
1064	backup.exe
1984	backup.exe
1984	backup.exe
2380	backup.exe
2380	backup.exe
1176	System Restore.exe
1176	System Restore.exe
2380	backup.exe
1984	backup.exe
1984	backup.exe
1064	backup.exe
1064	backup.exe
2380	backup.exe
1176	System Restore.exe
2380	backup.exe
1064	backup.exe
1176	System Restore.exe
2380	backup.exe
1984	backup.exe
1984	backup.exe
1716	update.exe
1716	update.exe
1716	update.exe
1800	backup.exe
1800	backup.exe
1516	backup.exe
1516	backup.exe
2260	backup.exe
2260	backup.exe
1716	update.exe
1716	update.exe
2720	backup.exe
2720	backup.exe
2720	backup.exe
1612	backup.exe
1612	backup.exe
2720	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1696-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x002a000000014bc1-5.dat	upx
behavioral1/files/0x002a000000014bc1-7.dat	upx
behavioral1/files/0x002a000000014bc1-12.dat	upx
behavioral1/files/0x002a000000014bc1-9.dat	upx
behavioral1/memory/2156-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000700000001561f-19.dat	upx
behavioral1/files/0x000700000001561f-24.dat	upx
behavioral1/files/0x000700000001561f-17.dat	upx
behavioral1/files/0x000a000000015c18-28.dat	upx
behavioral1/files/0x000a000000015c18-36.dat	upx
behavioral1/files/0x000a000000015c18-31.dat	upx
behavioral1/memory/2800-30-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000800000001564c-40.dat	upx
behavioral1/files/0x000800000001564c-47.dat	upx
behavioral1/files/0x000800000001564c-43.dat	upx
behavioral1/memory/1696-42-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2900-52-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015c70-53.dat	upx
behavioral1/files/0x0008000000015c70-55.dat	upx
behavioral1/memory/2156-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0008000000015c70-60.dat	upx
behavioral1/memory/2756-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x002b000000014f1a-66.dat	upx
behavioral1/files/0x002b000000014f1a-68.dat	upx
behavioral1/files/0x002b000000014f1a-72.dat	upx
behavioral1/memory/2648-76-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015c8f-77.dat	upx
behavioral1/files/0x0006000000015c8f-80.dat	upx
behavioral1/files/0x0006000000015c8f-82.dat	upx
behavioral1/memory/2696-81-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x002a000000014bc1-83.dat	upx
behavioral1/files/0x0007000000015c7c-89.dat	upx
behavioral1/files/0x0006000000015c8f-95.dat	upx
behavioral1/files/0x0007000000015c7c-96.dat	upx
behavioral1/files/0x0006000000015c8f-94.dat	upx
behavioral1/files/0x0006000000015c8f-99.dat	upx
behavioral1/files/0x0006000000015ca7-103.dat	upx
behavioral1/files/0x0006000000015ca7-107.dat	upx
behavioral1/files/0x0006000000015ca7-100.dat	upx
behavioral1/files/0x0006000000015ca7-112.dat	upx
behavioral1/memory/2424-114-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015ce9-116.dat	upx
behavioral1/files/0x0006000000015ce9-118.dat	upx
behavioral1/files/0x0006000000015ce9-123.dat	upx
behavioral1/files/0x0006000000015dc1-135.dat	upx
behavioral1/memory/1660-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015dc1-130.dat	upx
behavioral1/memory/2692-129-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0006000000015dc1-127.dat	upx
behavioral1/files/0x0006000000015dc1-140.dat	upx
behavioral1/files/0x0007000000015d39-144.dat	upx
behavioral1/memory/1176-148-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015d39-142.dat	upx
behavioral1/files/0x0007000000015d39-149.dat	upx
behavioral1/files/0x0007000000015d39-154.dat	upx
behavioral1/files/0x0006000000015e3e-156.dat	upx
behavioral1/files/0x0006000000015e3e-159.dat	upx
behavioral1/files/0x0006000000015e3e-174.dat	upx
behavioral1/memory/2264-179-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1028-178-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015ecd-180.dat	upx
behavioral1/files/0x0007000000015ecd-182.dat	upx
behavioral1/memory/1064-186-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\update.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe
File opened for modification	C:\Program Files\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\7-Zip\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Google\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
2156	backup.exe
2800	backup.exe
2696	backup.exe
2900	backup.exe
2756	backup.exe
2648	backup.exe
1176	System Restore.exe
2424	update.exe
2692	backup.exe
1660	backup.exe
1064	backup.exe
2264	backup.exe
1028	data.exe
1984	backup.exe
2380	backup.exe
2324	backup.exe
2260	backup.exe
1824	backup.exe
1516	backup.exe
1800	backup.exe
1716	update.exe
836	backup.exe
2520	backup.exe
884	backup.exe
1652	backup.exe
1612	backup.exe
2720	backup.exe
2808	backup.exe
2648	backup.exe
2756	backup.exe
2760	backup.exe
2900	backup.exe
2980	backup.exe
2956	backup.exe
2508	backup.exe
808	backup.exe
1944	update.exe
740	backup.exe
2820	backup.exe
1072	backup.exe
2256	backup.exe
2344	backup.exe
1960	backup.exe
2372	backup.exe
636	backup.exe
944	backup.exe
1340	backup.exe
752	backup.exe
940	backup.exe
1768	backup.exe
1728	backup.exe
3052	backup.exe
2864	backup.exe
2388	backup.exe
2904	backup.exe
2332	backup.exe
2092	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2156	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	28
PID 1696 wrote to memory of 2156	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	28
PID 1696 wrote to memory of 2156	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	28
PID 1696 wrote to memory of 2156	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	28
PID 1696 wrote to memory of 2800	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	29
PID 1696 wrote to memory of 2800	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	29
PID 1696 wrote to memory of 2800	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	29
PID 1696 wrote to memory of 2800	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	29
PID 1696 wrote to memory of 2696	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	30
PID 1696 wrote to memory of 2696	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	30
PID 1696 wrote to memory of 2696	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	30
PID 1696 wrote to memory of 2696	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	30
PID 1696 wrote to memory of 2900	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	31
PID 1696 wrote to memory of 2900	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	31
PID 1696 wrote to memory of 2900	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	31
PID 1696 wrote to memory of 2900	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	31
PID 1696 wrote to memory of 2756	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	32
PID 1696 wrote to memory of 2756	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	32
PID 1696 wrote to memory of 2756	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	32
PID 1696 wrote to memory of 2756	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	32
PID 1696 wrote to memory of 2648	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	33
PID 1696 wrote to memory of 2648	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	33
PID 1696 wrote to memory of 2648	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	33
PID 1696 wrote to memory of 2648	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	33
PID 1696 wrote to memory of 2424	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	34
PID 1696 wrote to memory of 2424	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	34
PID 1696 wrote to memory of 2424	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	34
PID 1696 wrote to memory of 2424	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	34
PID 1696 wrote to memory of 2424	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	34
PID 1696 wrote to memory of 2424	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	34
PID 1696 wrote to memory of 2424	1696	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe	34
PID 2156 wrote to memory of 1176	2156	backup.exe	35
PID 2156 wrote to memory of 1176	2156	backup.exe	35
PID 2156 wrote to memory of 1176	2156	backup.exe	35
PID 2156 wrote to memory of 1176	2156	backup.exe	35
PID 1176 wrote to memory of 2692	1176	System Restore.exe	36
PID 1176 wrote to memory of 2692	1176	System Restore.exe	36
PID 1176 wrote to memory of 2692	1176	System Restore.exe	36
PID 1176 wrote to memory of 2692	1176	System Restore.exe	36
PID 2692 wrote to memory of 1660	2692	backup.exe	37
PID 2692 wrote to memory of 1660	2692	backup.exe	37
PID 2692 wrote to memory of 1660	2692	backup.exe	37
PID 2692 wrote to memory of 1660	2692	backup.exe	37
PID 1176 wrote to memory of 1064	1176	System Restore.exe	38
PID 1176 wrote to memory of 1064	1176	System Restore.exe	38
PID 1176 wrote to memory of 1064	1176	System Restore.exe	38
PID 1176 wrote to memory of 1064	1176	System Restore.exe	38
PID 1064 wrote to memory of 2264	1064	backup.exe	39
PID 1064 wrote to memory of 2264	1064	backup.exe	39
PID 1064 wrote to memory of 2264	1064	backup.exe	39
PID 1064 wrote to memory of 2264	1064	backup.exe	39
PID 2264 wrote to memory of 1028	2264	backup.exe	40
PID 2264 wrote to memory of 1028	2264	backup.exe	40
PID 2264 wrote to memory of 1028	2264	backup.exe	40
PID 2264 wrote to memory of 1028	2264	backup.exe	40
PID 1064 wrote to memory of 1984	1064	backup.exe	41
PID 1064 wrote to memory of 1984	1064	backup.exe	41
PID 1064 wrote to memory of 1984	1064	backup.exe	41
PID 1064 wrote to memory of 1984	1064	backup.exe	41
PID 1984 wrote to memory of 2380	1984	backup.exe	42
PID 1984 wrote to memory of 2380	1984	backup.exe	42
PID 1984 wrote to memory of 2380	1984	backup.exe	42
PID 1984 wrote to memory of 2380	1984	backup.exe	42
PID 2380 wrote to memory of 2324	2380	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.409fd8f8f8b605f9ce9725d145576b90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.409fd8f8f8b605f9ce9725d145576b90.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696
- C:\Users\Admin\AppData\Local\Temp\204387569\backup.exe
  C:\Users\Admin\AppData\Local\Temp\204387569\backup.exe C:\Users\Admin\AppData\Local\Temp\204387569\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2156
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1176
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2692
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1660
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1064
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2264
      - C:\Program Files\7-Zip\Lang\data.exe
        
        "C:\Program Files\7-Zip\Lang\data.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1028
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1984
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2324
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1652
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2756
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:636
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1768
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        
        PID:2388
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        
        PID:2960
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        
        PID:440
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        
        PID:2920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        
        PID:2824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        
        PID:3000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        
        PID:2300
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        
        PID:2780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        
        PID:2072
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1996
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1756
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:3044
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2600
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2844
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        
        PID:1796
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        
        PID:3016
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:2992
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        
        PID:1560
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1824
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:836
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2760
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:944
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3052
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2092
        
        C:\Program Files\Common Files\System\ado\es-ES\update.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\update.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2756
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2532
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2684
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:1776
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2640
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1436
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1208
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:2136
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2768
        
        C:\Program Files\Common Files\System\msadc\data.exe
        
        "C:\Program Files\Common Files\System\msadc\data.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        
        PID:2248
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1516
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        System policy modification
        
        PID:2040
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2900
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2820
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:752
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1728
      - C:\Program Files\DVD Maker\Shared\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\System Restore.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        
        PID:1928
    - - C:\Program Files\Google\update.exe
        
        "C:\Program Files\Google\update.exe" C:\Program Files\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1716
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2720
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2980
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:808
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:1968
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\System Restore.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:1836
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:1940
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:988
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:1508
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:1564
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2444
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2736
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:2752
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:844
    - - C:\Program Files\Mozilla Firefox\data.exe
        
        "C:\Program Files\Mozilla Firefox\data.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1120
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2440
    - - C:\Program Files\Reference Assemblies\data.exe
        
        "C:\Program Files\Reference Assemblies\data.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1700
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2260
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2808
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:740
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2344
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:2184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2876
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2956
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1092
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2792
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:372
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1764
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2040
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1648
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1972
    - - C:\Program Files (x86)\Internet Explorer\data.exe
        
        "C:\Program Files (x86)\Internet Explorer\data.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1604
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2832
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2864
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1668
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1660
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2224
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:884
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2648
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2508
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1072
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1340
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        Executes dropped EXE
        
        PID:2864
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:928
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2740
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2092
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1396
      - C:\Users\Admin\Saved Games\data.exe
        
        "C:\Users\Admin\Saved Games\data.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:1556
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2112
      - C:\Users\Admin\Videos\data.exe
        
        C:\Users\Admin\Videos\data.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2888
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1084
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2852
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:660
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:1576
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:836
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1060
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:2060
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1908
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:540
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
6d66832c4d48bff89a05a90b5a89d1b4

SHA1
2aaeadc5262a528a1c7e096071b05d0c8411c892

SHA256
cd3726e5da2258ebbb5c5101a282ec68e6bbafe3f0444d062edad5995d449fff

SHA512
deec98b3004e539ca1d8bdb82f113bd8e2080c9fea221ff77ca2fe264a8a70d8096a3f3979c86d66081d86dbadfc385dab411b1157cc4664916677e4323768c4

Download Submit
C:\PerfLogs\backup.exe

Filesize
447KB

MD5
180f0aae4758f202b36c1b5d2a52c406

SHA1
b4b44fca9d780cb8deee54610e1755146ddf6bc7

SHA256
d7397c0bb59d606bd25b2135adcf9d7e50217f76415b33e43718e693abb25a10

SHA512
94563364454424b7b7b69765e42d90c8ed64a80127801582c02e793bc677609398d23ecbcc1e1dfbf318d5ad91c817259b5c2f86c5de7bbf008440141d3958fd

Download Submit
C:\PerfLogs\backup.exe

Filesize
447KB

MD5
180f0aae4758f202b36c1b5d2a52c406

SHA1
b4b44fca9d780cb8deee54610e1755146ddf6bc7

SHA256
d7397c0bb59d606bd25b2135adcf9d7e50217f76415b33e43718e693abb25a10

SHA512
94563364454424b7b7b69765e42d90c8ed64a80127801582c02e793bc677609398d23ecbcc1e1dfbf318d5ad91c817259b5c2f86c5de7bbf008440141d3958fd

Download Submit
C:\Program Files (x86)\backup.exe

Filesize
447KB

MD5
8e1f40106e421cdb9713542b5cd5e964

SHA1
68bb6705c9973e259f3cdcb550633fc17631e393

SHA256
54c85e0f364082fc07dfed4fe51d292fecdf269f1b5f7f61bcd481b0dc483171

SHA512
102d595db4cfeba00c7906b9a61d62c6747674e87c803971fe71a37e9ebd69978921aacea0f28cf038922b32d036534b4efab5eaad2463d6a6a8757a7baa653a

Download Submit
C:\Program Files\7-Zip\Lang\data.exe

Filesize
447KB

MD5
8b830478a1a42477c005aaaa07a1baf8

SHA1
8612374fc849eaade8a52a26b66d404bfc4d1ff7

SHA256
0a28949024d62b45fc5e0333f805b79adb41157550d9f4e9fc8f536a1f1f80ea

SHA512
f313c5602d6930371042f7c76089315a1efa23060289aebbec9446a3f2ae98f72ac8ed10efa6c17c26500aa443535631b3aef55a31f03740107bc0712b4dbc67

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
6e9f730660deb47502939e5e00893e9d

SHA1
b33fe7f67207f8a424c46b40bca7246bfe5da191

SHA256
eb5ddfc7bb69c6a0a8c8499ee9159dcd3fc516c00f8a850c57452956762ee61d

SHA512
09981a7df4cf14c0568f188ceadfd36b788d8a7b18ce0a5fa98f9f350ec99d304f8292943f0422b800b5687776236b57d2fe39d55b244c4958918eab81c13201

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
6e9f730660deb47502939e5e00893e9d

SHA1
b33fe7f67207f8a424c46b40bca7246bfe5da191

SHA256
eb5ddfc7bb69c6a0a8c8499ee9159dcd3fc516c00f8a850c57452956762ee61d

SHA512
09981a7df4cf14c0568f188ceadfd36b788d8a7b18ce0a5fa98f9f350ec99d304f8292943f0422b800b5687776236b57d2fe39d55b244c4958918eab81c13201

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
ad8f2a564a36c5853419478c8e7d5f22

SHA1
e59c8c20d3e05678a594877c296381bb3507dcf9

SHA256
c3b668720a446b7361c58e0e50f1e90de13cdcd54724633d21d8e519cf050122

SHA512
f71e40e7bdcdcf657c5538955439830b7344752dd2a4eb01751f8c0658d621718cd0ef207aa52ac5211a96509c1028aa9b6a50d79fc1f807199e7ee2c7456111

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
2e2d1f19a62c82a922563a2eb90b306c

SHA1
7a2dd9d12f254275fc99af171113892a6f7f8024

SHA256
116ddaf207e2ecdb6b48d7887ac2a84b8dec9dbb2cdedc5d3335f2661cd87e84

SHA512
cf801c0bab418b9e51f3440156c9211eeca490eb59dfd0174502655ffab60a5ea9876c0253aa503bb33c1d995c43b9d6e6f939aeb01c864b191ca3eeb5bce141

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
2e2d1f19a62c82a922563a2eb90b306c

SHA1
7a2dd9d12f254275fc99af171113892a6f7f8024

SHA256
116ddaf207e2ecdb6b48d7887ac2a84b8dec9dbb2cdedc5d3335f2661cd87e84

SHA512
cf801c0bab418b9e51f3440156c9211eeca490eb59dfd0174502655ffab60a5ea9876c0253aa503bb33c1d995c43b9d6e6f939aeb01c864b191ca3eeb5bce141

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
e855a6b6fe326a7ae266e678afd17685

SHA1
7b9e77cffc503ade077242a512bf2f2cb899e449

SHA256
35de133208b13dbef6e82d5af2e250182df302706671ebb8e85f241e0ef76188

SHA512
960f53a38baa1240185afaf1271a47e4d31f6b14eb9289d6111c645ded81566e0e867013c99aea676eb1fe09d95ad06bc0cb033765e0ea717a94fec93013031f

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
e855a6b6fe326a7ae266e678afd17685

SHA1
7b9e77cffc503ade077242a512bf2f2cb899e449

SHA256
35de133208b13dbef6e82d5af2e250182df302706671ebb8e85f241e0ef76188

SHA512
960f53a38baa1240185afaf1271a47e4d31f6b14eb9289d6111c645ded81566e0e867013c99aea676eb1fe09d95ad06bc0cb033765e0ea717a94fec93013031f

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
2ecbeb1e5a0f78fc56a9a473fbd049a3

SHA1
68e59f3634ee9e59bcad1385c5ba0e7e043d8f9f

SHA256
e832fca36cf0dcd87f723861d1fe603e2abf72ecd74136c47079af6f9f2ed642

SHA512
8e9acc3f12b00603ba1e8e3eaee7eeb70739a60a6beeb898ca3f6a39ac19b76d526981f804b4ab36337f9b0dede283fbc5a03cfc8b8efa8d185bd0b8e990f3a4

Download Submit
C:\Program Files\backup.exe

Filesize
447KB

MD5
2ecbeb1e5a0f78fc56a9a473fbd049a3

SHA1
68e59f3634ee9e59bcad1385c5ba0e7e043d8f9f

SHA256
e832fca36cf0dcd87f723861d1fe603e2abf72ecd74136c47079af6f9f2ed642

SHA512
8e9acc3f12b00603ba1e8e3eaee7eeb70739a60a6beeb898ca3f6a39ac19b76d526981f804b4ab36337f9b0dede283fbc5a03cfc8b8efa8d185bd0b8e990f3a4

Download Submit
C:\System Restore.exe

Filesize
447KB

MD5
b0a3c43c68cc3e39f53e535d9ff54b06

SHA1
00d4578cb73d06bcc639813ec817730d0000e01a

SHA256
3301b175781e0f5f4e84ce22c55d8d4e9c26a25f5e5541597f9b7a497cd19069

SHA512
71afe97edaf27bca00dbf2e0f742c6af77ae78a7d71acf1804646a5532066db1a5b69bc438081ace7c3630dde6eee3f06515db7012b887f4b04b003a44048631

Download Submit
C:\System Restore.exe

Filesize
447KB

MD5
b0a3c43c68cc3e39f53e535d9ff54b06

SHA1
00d4578cb73d06bcc639813ec817730d0000e01a

SHA256
3301b175781e0f5f4e84ce22c55d8d4e9c26a25f5e5541597f9b7a497cd19069

SHA512
71afe97edaf27bca00dbf2e0f742c6af77ae78a7d71acf1804646a5532066db1a5b69bc438081ace7c3630dde6eee3f06515db7012b887f4b04b003a44048631

Download Submit
C:\Users\Admin\AppData\Local\Temp\204387569\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\204387569\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\204387569\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
32KB

MD5
4be18fc9b420c07c785d70cc372f260b

SHA1
409edb4df417d742a8b9c655223c8db29c551780

SHA256
33cc3ea603a523b0f84afecbd7d38df475079d1e39c024cca1e37a5ae90e7d7b

SHA512
2c4062979fa9e776922cf4f8071852302cb122e90a1d0308e23bb254f5924228b4d489f4ede1efc70049027a633dc5325c20cf609e62105813f2700ba04ef3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
6d66832c4d48bff89a05a90b5a89d1b4

SHA1
2aaeadc5262a528a1c7e096071b05d0c8411c892

SHA256
cd3726e5da2258ebbb5c5101a282ec68e6bbafe3f0444d062edad5995d449fff

SHA512
deec98b3004e539ca1d8bdb82f113bd8e2080c9fea221ff77ca2fe264a8a70d8096a3f3979c86d66081d86dbadfc385dab411b1157cc4664916677e4323768c4

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
447KB

MD5
6d66832c4d48bff89a05a90b5a89d1b4

SHA1
2aaeadc5262a528a1c7e096071b05d0c8411c892

SHA256
cd3726e5da2258ebbb5c5101a282ec68e6bbafe3f0444d062edad5995d449fff

SHA512
deec98b3004e539ca1d8bdb82f113bd8e2080c9fea221ff77ca2fe264a8a70d8096a3f3979c86d66081d86dbadfc385dab411b1157cc4664916677e4323768c4

Download Submit
\PerfLogs\backup.exe

Filesize
447KB

MD5
180f0aae4758f202b36c1b5d2a52c406

SHA1
b4b44fca9d780cb8deee54610e1755146ddf6bc7

SHA256
d7397c0bb59d606bd25b2135adcf9d7e50217f76415b33e43718e693abb25a10

SHA512
94563364454424b7b7b69765e42d90c8ed64a80127801582c02e793bc677609398d23ecbcc1e1dfbf318d5ad91c817259b5c2f86c5de7bbf008440141d3958fd

Download Submit
\PerfLogs\backup.exe

Filesize
447KB

MD5
180f0aae4758f202b36c1b5d2a52c406

SHA1
b4b44fca9d780cb8deee54610e1755146ddf6bc7

SHA256
d7397c0bb59d606bd25b2135adcf9d7e50217f76415b33e43718e693abb25a10

SHA512
94563364454424b7b7b69765e42d90c8ed64a80127801582c02e793bc677609398d23ecbcc1e1dfbf318d5ad91c817259b5c2f86c5de7bbf008440141d3958fd

Download Submit
\Program Files (x86)\backup.exe

Filesize
447KB

MD5
8e1f40106e421cdb9713542b5cd5e964

SHA1
68bb6705c9973e259f3cdcb550633fc17631e393

SHA256
54c85e0f364082fc07dfed4fe51d292fecdf269f1b5f7f61bcd481b0dc483171

SHA512
102d595db4cfeba00c7906b9a61d62c6747674e87c803971fe71a37e9ebd69978921aacea0f28cf038922b32d036534b4efab5eaad2463d6a6a8757a7baa653a

Download Submit
\Program Files (x86)\backup.exe

Filesize
447KB

MD5
8e1f40106e421cdb9713542b5cd5e964

SHA1
68bb6705c9973e259f3cdcb550633fc17631e393

SHA256
54c85e0f364082fc07dfed4fe51d292fecdf269f1b5f7f61bcd481b0dc483171

SHA512
102d595db4cfeba00c7906b9a61d62c6747674e87c803971fe71a37e9ebd69978921aacea0f28cf038922b32d036534b4efab5eaad2463d6a6a8757a7baa653a

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
447KB

MD5
8b830478a1a42477c005aaaa07a1baf8

SHA1
8612374fc849eaade8a52a26b66d404bfc4d1ff7

SHA256
0a28949024d62b45fc5e0333f805b79adb41157550d9f4e9fc8f536a1f1f80ea

SHA512
f313c5602d6930371042f7c76089315a1efa23060289aebbec9446a3f2ae98f72ac8ed10efa6c17c26500aa443535631b3aef55a31f03740107bc0712b4dbc67

Download Submit
\Program Files\7-Zip\Lang\data.exe

Filesize
447KB

MD5
8b830478a1a42477c005aaaa07a1baf8

SHA1
8612374fc849eaade8a52a26b66d404bfc4d1ff7

SHA256
0a28949024d62b45fc5e0333f805b79adb41157550d9f4e9fc8f536a1f1f80ea

SHA512
f313c5602d6930371042f7c76089315a1efa23060289aebbec9446a3f2ae98f72ac8ed10efa6c17c26500aa443535631b3aef55a31f03740107bc0712b4dbc67

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
6e9f730660deb47502939e5e00893e9d

SHA1
b33fe7f67207f8a424c46b40bca7246bfe5da191

SHA256
eb5ddfc7bb69c6a0a8c8499ee9159dcd3fc516c00f8a850c57452956762ee61d

SHA512
09981a7df4cf14c0568f188ceadfd36b788d8a7b18ce0a5fa98f9f350ec99d304f8292943f0422b800b5687776236b57d2fe39d55b244c4958918eab81c13201

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
447KB

MD5
6e9f730660deb47502939e5e00893e9d

SHA1
b33fe7f67207f8a424c46b40bca7246bfe5da191

SHA256
eb5ddfc7bb69c6a0a8c8499ee9159dcd3fc516c00f8a850c57452956762ee61d

SHA512
09981a7df4cf14c0568f188ceadfd36b788d8a7b18ce0a5fa98f9f350ec99d304f8292943f0422b800b5687776236b57d2fe39d55b244c4958918eab81c13201

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
ad8f2a564a36c5853419478c8e7d5f22

SHA1
e59c8c20d3e05678a594877c296381bb3507dcf9

SHA256
c3b668720a446b7361c58e0e50f1e90de13cdcd54724633d21d8e519cf050122

SHA512
f71e40e7bdcdcf657c5538955439830b7344752dd2a4eb01751f8c0658d621718cd0ef207aa52ac5211a96509c1028aa9b6a50d79fc1f807199e7ee2c7456111

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
447KB

MD5
ad8f2a564a36c5853419478c8e7d5f22

SHA1
e59c8c20d3e05678a594877c296381bb3507dcf9

SHA256
c3b668720a446b7361c58e0e50f1e90de13cdcd54724633d21d8e519cf050122

SHA512
f71e40e7bdcdcf657c5538955439830b7344752dd2a4eb01751f8c0658d621718cd0ef207aa52ac5211a96509c1028aa9b6a50d79fc1f807199e7ee2c7456111

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
2e2d1f19a62c82a922563a2eb90b306c

SHA1
7a2dd9d12f254275fc99af171113892a6f7f8024

SHA256
116ddaf207e2ecdb6b48d7887ac2a84b8dec9dbb2cdedc5d3335f2661cd87e84

SHA512
cf801c0bab418b9e51f3440156c9211eeca490eb59dfd0174502655ffab60a5ea9876c0253aa503bb33c1d995c43b9d6e6f939aeb01c864b191ca3eeb5bce141

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
447KB

MD5
2e2d1f19a62c82a922563a2eb90b306c

SHA1
7a2dd9d12f254275fc99af171113892a6f7f8024

SHA256
116ddaf207e2ecdb6b48d7887ac2a84b8dec9dbb2cdedc5d3335f2661cd87e84

SHA512
cf801c0bab418b9e51f3440156c9211eeca490eb59dfd0174502655ffab60a5ea9876c0253aa503bb33c1d995c43b9d6e6f939aeb01c864b191ca3eeb5bce141

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
447KB

MD5
913a8b405f9274a720ae2eb1e9cb1901

SHA1
604156b4664b0ded64f2b2535c492d7fb72b613c

SHA256
0667939ce9402d669ca5550cdea11e83477dda05f6bec582f92ab3fca4edf13b

SHA512
7aef4d9ced70e61f337507b2cd8f19172090c9396f2a154eecbc859a70db53eef9e8028d07fb68ea2958e328d1355f320ce2eacc2ad0dfe2b545768aa95b1f73

Download Submit
\Program Files\Common Files\Services\backup.exe

Filesize
447KB

MD5
28af2086f48fd3be2b7b507130133876

SHA1
f48cf528a261977cad79299187fe47d62d0c20b3

SHA256
1f0c60ae5a4c95c5c6d324946baa7af4dbd9d5fc7d2676feb2ccf00f9ce4cd41

SHA512
3978afa7977c177dd0bfd38626556fc7679f439277538aa2e3ff6a07873ed4fe728c791bd426091f23ced31bbaa569e10bafd4e8514303ae51e6cc1d2519b31c

Download Submit
\Program Files\Common Files\Services\backup.exe

Filesize
447KB

MD5
28af2086f48fd3be2b7b507130133876

SHA1
f48cf528a261977cad79299187fe47d62d0c20b3

SHA256
1f0c60ae5a4c95c5c6d324946baa7af4dbd9d5fc7d2676feb2ccf00f9ce4cd41

SHA512
3978afa7977c177dd0bfd38626556fc7679f439277538aa2e3ff6a07873ed4fe728c791bd426091f23ced31bbaa569e10bafd4e8514303ae51e6cc1d2519b31c

Download Submit
\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
e855a6b6fe326a7ae266e678afd17685

SHA1
7b9e77cffc503ade077242a512bf2f2cb899e449

SHA256
35de133208b13dbef6e82d5af2e250182df302706671ebb8e85f241e0ef76188

SHA512
960f53a38baa1240185afaf1271a47e4d31f6b14eb9289d6111c645ded81566e0e867013c99aea676eb1fe09d95ad06bc0cb033765e0ea717a94fec93013031f

Download Submit
\Program Files\Common Files\backup.exe

Filesize
447KB

MD5
e855a6b6fe326a7ae266e678afd17685

SHA1
7b9e77cffc503ade077242a512bf2f2cb899e449

SHA256
35de133208b13dbef6e82d5af2e250182df302706671ebb8e85f241e0ef76188

SHA512
960f53a38baa1240185afaf1271a47e4d31f6b14eb9289d6111c645ded81566e0e867013c99aea676eb1fe09d95ad06bc0cb033765e0ea717a94fec93013031f

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
447KB

MD5
1321518d9a47f834b0320bf6d11ee348

SHA1
aa560e70ac9ab66d6612490fed8d52b726cb8cfb

SHA256
099c53b24acb5fea85df5e89a6b22bc343d051a988e2d4a277cbc7228b1b41e0

SHA512
169bdf0f024ac718e0433a762ff1ff6f03d0e01126abd9f9c79a4749afd4d69c9e1a9caec237ff7c6ca65e7f9678e7e05a0ce0b8878a8ce4e45c2d22fe6e82ed

Download Submit
\Program Files\DVD Maker\backup.exe

Filesize
447KB

MD5
1321518d9a47f834b0320bf6d11ee348

SHA1
aa560e70ac9ab66d6612490fed8d52b726cb8cfb

SHA256
099c53b24acb5fea85df5e89a6b22bc343d051a988e2d4a277cbc7228b1b41e0

SHA512
169bdf0f024ac718e0433a762ff1ff6f03d0e01126abd9f9c79a4749afd4d69c9e1a9caec237ff7c6ca65e7f9678e7e05a0ce0b8878a8ce4e45c2d22fe6e82ed

Download Submit
\Program Files\backup.exe

Filesize
447KB

MD5
2ecbeb1e5a0f78fc56a9a473fbd049a3

SHA1
68e59f3634ee9e59bcad1385c5ba0e7e043d8f9f

SHA256
e832fca36cf0dcd87f723861d1fe603e2abf72ecd74136c47079af6f9f2ed642

SHA512
8e9acc3f12b00603ba1e8e3eaee7eeb70739a60a6beeb898ca3f6a39ac19b76d526981f804b4ab36337f9b0dede283fbc5a03cfc8b8efa8d185bd0b8e990f3a4

Download Submit
\Program Files\backup.exe

Filesize
447KB

MD5
2ecbeb1e5a0f78fc56a9a473fbd049a3

SHA1
68e59f3634ee9e59bcad1385c5ba0e7e043d8f9f

SHA256
e832fca36cf0dcd87f723861d1fe603e2abf72ecd74136c47079af6f9f2ed642

SHA512
8e9acc3f12b00603ba1e8e3eaee7eeb70739a60a6beeb898ca3f6a39ac19b76d526981f804b4ab36337f9b0dede283fbc5a03cfc8b8efa8d185bd0b8e990f3a4

Download Submit
\Users\Admin\AppData\Local\Temp\204387569\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\204387569\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\update.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
447KB

MD5
5703a75df11b63b1c0e36a055c5ac055

SHA1
4c8391b68e18963cecb35e4b85c815ea0287d439

SHA256
72daefc5d88f067396034d05c44bbc2e2ed266b176cdc16ec6407a70cbd71cf3

SHA512
60564442b3c1e3089e4d03c93a0aa54ac5667418b815925048130f51e290e9f582e3cd6dff6a2881e9e5a951a721be783245d502d9b49dc1924131b45c6ace8f

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
447KB

MD5
10068f3b4b8e9e86c1b388fdfae3d7a6

SHA1
e8c1ab19e067a984903414969358c019120304ea

SHA256
1847ffe41e7cdbc788fe02e15d2e881b96183610f6363c5c4a74d50229a2868d

SHA512
5e2e3952e796f1d850d5da6b915b3092997d1837fa128c08c666349e64c1024f28d80244a1d034d590859683ac066de4a0b5c56d5637799d4e844698dd870c10

Download Submit
memory/1028-178-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1064-280-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1064-309-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1064-268-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1064-195-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1064-186-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1176-188-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-136-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-242-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-278-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-275-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1176-102-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-282-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-310-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1176-138-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1516-277-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1660-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-61-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1696-35-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1696-289-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-217-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1696-23-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1696-158-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1696-42-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-48-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1696-11-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1800-273-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-271-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1824-308-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-279-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1984-203-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1984-220-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1984-201-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1984-230-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1984-265-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1984-262-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1984-221-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2156-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2156-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2156-90-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2156-91-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2260-276-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2264-179-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2324-233-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2380-214-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2380-234-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2380-299-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2380-232-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2380-274-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2380-216-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2380-281-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2380-205-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2424-97-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/2424-114-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2648-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2692-129-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2692-122-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2696-225-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2696-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2756-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2800-30-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2900-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads